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Foreword 


The digital revolution is transforming the traditional ways of doing business, necessitating 
realignment of profession to leverage the multipliers of digital technology - enhanced 
efficiency, scale and speed, effectiveness, agility and giving access to newer markets. In view 
of the rapid technological changes, it is imperative for Information System Auditors to adapt, 
be innovative in aiding organizations to improve its control environment and strengthen 
governance of IT risks. Adoption of emerging technologies will help them to assimilate vast 
amount of data and provide value added analysis in the form of data analysis and business 
intelligence. Chartered Accountants possess unique blend of systems and process 
understanding and expertise in controls and governance, thereby best suited to be the perfect 
Information Systems Auditor. 


The Institute of Chartered Accountants of India (ICAI), through its Digital Accounting and 
Assurance Board (DAAB), is continuously monitoring technological developments and taking 
initiatives to disseminate updated knowledge amongst our members and other stakeholders. 
In this direction, it is heartening to note that the DAAB is bringing out next version of 
“Educational Material” for Post Qualification Course on Information Systems Audit. This 
updated and revised Material combines technology, information assurance and information 
management expertise that enable Chartered Accountants to be an advisor and handling 
assurance assignments. 


In this updated course curriculum various aspects of emerging technologies like, Blockchain, 
Robotics Process Automation, etc., have also been introduced to keep members fully abreast. 
With focus on increased practical aspects, case studies and lab manuals at appropriate places 
this material is a great learning guide for members aspiring to be Information Systems Auditor. 


| compliment CA. Manu Agrawal, Chairman, CA. Dayaniwas Sharma, Vice-Chairman and 
other members of the Digital Accounting and Assurance Board for generation next material in 
digital era by taking up this timely initiative. 


| am confident that our members would take benefit of these updated modules of post 
qualification course on Information Systems Audit, so as to render their professional 
responsibility as Information System Auditor more efficiently and highest standards to achieve 
global recognition. 


CA. Atul Kumar Gupta 
President, ICAI 


Place: New Delhi 
Date: April 12, 2020 


Preface 


Evolution of digital economy and ever changing dynamic ecosystem presents significant 
challenges, including new competition, new business and service delivery models, 
unprecedented transparency, privacy concerns and cyber threats. With a goal to keep 
members abreast of impact of emerging technologies, Digital Accounting and Assurance 
Board has come out with the updated Post Qualification Course on Information Systems Audit 
Modules to equip members with specialised body of knowledge and skill sets so that they 
become Information Systems Auditors (ISAs) who are technologically adept and are able to 
utilize and leverage technology to provide reasonable assurance that an organization 
safeguards it data processing assets, maintains data integrity and achieves system 
effectiveness and efficiency. This updated syllabus facilitates high level understanding about 
the role and competence of an IS Auditor to analyse, review, evaluate and provide 
recommendations on identified control weaknesses in diverse areas of information systems 
deployment. 


Revised Modules of Post Qualification Course on Information Systems Audit has specific 
objective, i.e., “To provide relevant practical knowledge and develop skills for planning and 
performing various types of assurance or consulting assignments in the areas of Governance, 
Risk management, Security, Controls and Compliance of Information Systems.” The core of 
DISA 3.0 lies in inculcating competence to add to service delivery of the members. The 
updated course would help the members to apply appropriate strategy, approach, 
methodology and techniques for auditing information system and perform IS Assurance and 
consulting assignments by using relevant best practices, IS Audit standards, frameworks, 
guidelines and procedures. 


The updated ISA Course 3.0 has a blend of training and includes e-learning, live case studies 
and lab manuals, project work in addition to class room lectures. This updated background 
material also includes a DVD which has e-Learning lectures, PPTs, case studies, DEMO 
CAAT software, useful checklists and sample audit reports. New Module on “Emerging 
Technology and Audit” has been added which covers Information System Assurance and Data 
Analytics, Assurance in Block chain Ecosystem, and Embracing Robotic Process Automation 
in Assurance Services. In addition to this Artificial Intelligence and Internet of Things (loT) has 
also been inducted in the new modules. 


We would like to take this opportunity to place on record our deep appreciation for the efforts 
put in by Convener, Dr. Onkar Nath as well as authors and reviewers of the various modules, 
viz., CA Anand Prakash Jangid, Mr. N.D. Kundu, Mr. Inder Pal Singh, Mr. Avinash Gokhale, 
CA Pranay Kochar, CA Naresh Gandhi, Dr Manish Kumar Srivastava, Dr. Saurabh 
Maheshwari, CA Narasimhan Elangovan and CA Atul Kumar Gupta. It would be also 
appropriate to express our thanks to all the ISA faculties for giving their inputs/ suggestions for 
the implementation of DISA 3.0. 


We would like to express gratitude to CA. Atul Kumar Gupta, President, ICAI, and CA. Nihar 
Niranjan Jambusaria, Vice President, ICAI, for their thought leadership and encouragement to 
the initiatives of the Board. We would also like to place on record our gratitude for all the 
Board members, co-opted members and special invitees for providing their valuable guidance 
and support in this initiative of the Board. We also wish to express my sincere appreciation for 
CA. Amit Gupta, Secretary, DAAB, Ms. Nishi Saraf, Section Officer for their untiring efforts in 
finalization of the updated Modules. 


We are sure that these updated Modules on Post Qualification Course on Information Systems 
Audit would be of immense help to the members and enable them to enhance service delivery 
not only in compliance, consulting and assurance of IT services, but also provide new 
professional avenues in the areas of IT Governance, Cyber Security, Information System 
Control and assurance services. 


CA. Manu Agrawal CA. Dayaniwas Sharma 
Chairman Vice-Chairman 
Digital Accounting and Assurance Board Digital Accounting and Assurance Board 
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Chapter 1 
Information Systems Management 


Learning Objective 


All organisations either big or small are using Information systems for their day to day work 
and generate lot of data or information. In this chapter, students will see how this information 
is used, who is responsible to provide services to various departments of the organisation. 
Students will also learn, how this information is used by the different users in the organisation. 


Students will study IS Management, IS Service Management, IS policies, Procedures, 
Standards and guidelines, Roles & Responsibilities, Human Resource Management practices 
for IT, Training and Education and Issues and challenges of IS Management. 


1.1 Information Systems Management 


A Business organisation can be viewed as a collection of different Business Functions such as 
manufacturing, sales & marketing, accounts and finance, purchasing etc. These functions, 
now also known as Lines of Business, are collection of various Business Processes. A 
Business Process can be further divided into activities and then an activity into tasks. 


Information System is nothing but using computer system (of hardware and software) to 
automate (either fully or partly) Business Processes, which result in Business Application 
Systems. Thus, today’s business is a complex ecosystem of business functions-processes- 
application systems, which are partly or fully automated. E.g. Buying on an e-commerce 
website has various processes such as procurement from manufacturers, advertising, 
providing web site for customers for buying, delivery and billing, post-sales support for 
customers etc. These e-commerce processes run with the help of e-commerce application 
system as a web site. 


With the advent of past 20 to 30 years of Information Technology, we have today’s complex 
ecosystem of businesses having Information Technology components such as hardware, 
software, networking and telecommunication integrated with Business processes. The 
following processes can be identified for today’s Information Technology, which is also a 
Business Function. 


1. Strategies for an Organization: Businesses use various strategies to compete in the 
market. Information Systems support a business to help in formulating the strategies by 
providing information when needed. 


2. | Support Decision Making: Information Systems process data to produce Information. 
Today's Information Systems are capable of processing data leading to information and then 
processing information leading to knowledge. This helps in providing a support to take 
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business decisions. E.g. an e-commerce web site can know from customers’ buying pattern, 
which products the customers regularly buy and take decisions about selling strategies 


3. Support the Business Process: Information Systems provide support to business 
systems by automating business processes within the business function. E.g. account opening 
process in a bank is supported with the account opening application module of the Banking 
Application 


4. Support Operations of an Organization: Operating a Business Application is a cycle 
of entering(capturing) data into Business Application System, processing it and producing 
output to be taken for further processing or using by humans. This involves many operations 
to be performed with the help of Information Systems. E.g. in a manufacturing company data 
is entered and processed through various stages of manufacturing on an ERP application. 
This involves operations of data entry, processing, producing output, taking backup of data an 
so on. 


1.2 Information Systems Organisation 
Information Systems can be classified(organised) into following 3 main categories : 


1. Based on Decision Making — This category is based on hierarchy of decision making 
in an organisation. This is given in Figure - 4.1.1. Note that, the transaction processing system 
is the base, upon which the two other systems are dependent. 


Information System Decisions 
Executive Support System Strategic Decisions 
Management Information System Tactical Decisions 
Transaction Processing System Operational Decisions 
Figure 4.1.1 


2. Based on Processing Requirement - This category is based on processing 
requirement. Again, note that, at the bottom, there is a transactions processing system, which 
captures the basic data. This is shown in the diagram 4.1.2 


Information System Requirement 
Executive Support System Tacit knowledge 
Decision Support System Explicit Knowledge 

Management Information System Information 

Office Support System Basic Data 

Transaction Processing System Basic Data 
Figure 4.1.2 
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3. Based on Hierarchy Requirement - This category is based upon the hierarchy of 
management levels, which is given in Figure -4.1.3 


Information System Requirement 
Executive Support System Executives 
Decision Support System Senior Managers 

Management Information System Middle Managers 
Transaction Processing System Operators & Workers 
Figure 4.1.3 


1.3 Information Systems Service Management 


Information Technology is a service-oriented industry. It provides various services to a 
business organisation with the help of Information Technology infrastructure consisting of 
hardware, software systems which process the data. This is known as Service Delivery 
provided by IT Function to other functions in the business organisation. 


IS Service Management (ISSM) is an implementation, management and delivery of IT services 
to ensure that IT services are aligned with business needs and actively support the 
organization/company. ISSM is not only related to the availability of the IT infrastructure, but 
also related to the use of the infrastructure, so that the quality of IT service delivery becomes 
more effective, efficient and more relevant to the organisation. 


Note: Many-a-times Information Systems and Information Technology terms are used 
interchangeably. Strictly speaking Information systems are business processes in an 
organisation. On the other hand, Information Technology is use of today’s computers and 
microprocessor-based devices to automate the Information Systems. In this regard, both these 
terms are used in this Module interchangeably. Wherever necessary specific term is used. 


There are many frameworks that can be used to implement ISSM. One of them is Information 
Technology Infrastructure Library (ITIL), the present being version 4. ITIL framework has is a 
proven framework which can integrate and align IT service delivery and business objectives. A 
business, by using ITIL, can provide realistic, measurable, predictable, and efficient IT service 
delivery. The use of ITIL is expected to improve productivity for company, the improved 
customer satisfaction, more optimization of budgets, increase in service availability, and 
reduction in the impact of risks. ITIL service lifecycle can be described as follows — 


1. Service Strategy - Service strategy is the core of the ITIL Service Lifecycle. Service 
strategy has the following components — 


1.1. Strategy — For providing value to customer for a product or service 
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1.2. Service Portfolio Management - Inventory of services 
1.3. Financial management for IT services 

1.4. Demand Management 

1.5. Business Relationship management 


Service strategy provides guidance to all IT service providers to assist them in establishing a 
clear service strategy, especially on how to design, develop, and implement service 
management, not only as an organizational capability, but also as a strategic asset. The 
strategy used should provide sufficient value to the customer and must meet the strategic 
objectives of IT service providers. Therefore, it is necessary for IT service providers to 
understand the following questions. 


1) | What services should be offered? 


( 

(2) To whom the services should be offered? 

(3) | How the internal and external marketplaces for their services should be developed? 

(4) | What is the potential competition in the marketplace? 

(5) How the customers and stakeholders will perceive and measure value, and how this 


value will be created? 


(6) | How the customer will make the decision in selecting the services of various types of 
service providers? 


(7) How visibility and control over value creation will be achieved through financial 
management? 


(8) | How robust business cases will be created to secure strategic investment in service 
assets and service management capabilities? 


(9) How the allocation of available resources will be arranged to provide a more optimal 
impact on the portfolio of services? 


(10) How service performance will be measured? 


2. Service Design - Service Design is the design of IT services, processes and other 
aspects of the service management efforts. Service design addresses a planned service 
solution which interacts with the larger business and technical environments. Service 
management systems require to support the services, processes which interact with the 
services, technology, and architecture to support the services along with the supply chain 
required to support the planned services. The following process are part of the service 
design — 


1. Design coordination 


2. Service catalogue management 
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3. 


Service-level management 
Availability management 
Capacity management 

IT service continuity management 
Security management 

Supplier management 


Service Transition - ITIL describes Service Transition as, the role of Service Transition 


is to deliver services that are required by the business into operational use. This area also 
covers various aspects such as managing changes to the Business environment. List of 
processes in service transition are as follows - 


1: 


4. 
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Transition planning and support 

Change management 

Service asset and configuration management 
Release and deployment management 
Service validation and testing 

Change evaluation 

Knowledge management 


Service Operation - Service Operation aims to provide best practice for achieving the 


delivery of agreed levels of services both to end-users and the customers. Service operation is 
the part of the lifecycle where the services and value is directly delivered. Also, the monitoring 
of problems and balance between service reliability and cost etc are considered. Processes in 
the service operation are as follows - 


1. 


2 
3 
4. 
5 


Event Management 
Incident Management 
Request Fulfilment 
Access Management 


Problem Management 


Functions in the service operation are as follows - 


1. 
2. 


Service Desk 


Technical Management 
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3. Application Management 
4. IT Operations Management 


5. Continual Service Improvement - Continual service improvement (CSI), aims to align 
and realign IT services to changing business needs. The perspective of CSI on improvement 
is, the business perspective of service quality. CSI aims to improve process effectiveness, 
efficiency and cost effectiveness of the IT processes through the whole lifecycle. To manage 
improvement, CSI should clearly define what should be controlled and measured. 


CSI needs upfront planning, training and awareness, ongoing scheduling, roles created, 
ownership assigned, and activities identified, to be successful. CSI must be planned and 
scheduled as a process with defined activities, inputs, outputs, roles and reporting. CSI 
focuses on improvement, tying together service design, service transition, and service 
operation, which in turn, help raise the bar of operational excellence for IT. 


1.4 Roles & Responsibilities 


Every task in an organisation is divided into processes and each process owner has specific 
job to perform. A Role is the defined or expected behaviour associated with a particular 
position, function or status in an organization. Responsibility is an obligation to satisfactorily 
perform or complete a task. 


1. User Data - Data which is owned and created by a user. The term user data explains 
the position of the data, in the data hierarchy of the organisation. 


2. Data Owner - The data owner is a part of senior management who is in charge of a 
specific department, such as Finance, HR, IT, Operations. Data Owner is responsible for the 
protection, classification, backup strategies and for use of this information. 


3. Data Custodian - The data custodian (who owns the responsibility on behalf of other/s) 
is responsible for storing, maintaining, backup, provisioning and protecting the data on behalf 
of Data Owner. 


4. System Owner - Data generated in an organisation has a specific lifecycle in an 
organisation. IT equipment needed to cater throughout the lifecycle of data is called a system. 
The person who is responsible for design, development, integration, operation and 
maintenance of these equipment is called as a System Owner. 


5. System Administrator - System administrator is a technical expert who is responsible 
for installing, upgrading, patching, supporting and maintaining computer systems and other 
computer equipment. 


6. Database Administrator - A database administrator is a technical expert who 
maintains the database of an organisation and provides all due care and due diligence to 
ensure data security and data integrity. 
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7. Network Administrator - A network administrator is a technical expert responsible for 
installing, supporting, maintaining and upgrading computer networks. It is the responsibility of 
the network administrator to run the computer networks up and running. 


8. Process Owner - As we discussed earlier various processes constitute a business. A 
process receives input/s from other processes, does a transformation on the said input/s and 
yield an output/s. The person who is ultimately responsible for the effective and efficient 
working of a process is called the Process Owner. Process owners use six sigma techniques 
(process improvement science) for improving performance of a process leading to 
improvement of business operations. 


9. User Manager — User manager is either independent, part of system administrator team 
or system administrator may also hold this role. Systems Administrator manages system users 
of an organisation by creating users, editing user’s data, deleting, provisioning and revocation 
of access rights etc. 


10. Steering Committee — It is a committee formed of different heads of departments to 
drive a project or program (not a computer program). Steering committee usually consists of 
heads of finance department for funding, HR department for human resources and IT 
department for IT systems and data security. Therefore, a steering committee is a senior level 
committee which monitors, drives and controls the project or program. 


11. Security Manager - Security Manager is responsible for implementing the Information 
and Cyber Security for an organization. Organisations frame and implement security policies, 
regulations, rules, procedures and norms related to information technology in coordination 
with security managers to protect IT systems and user data. 


12. CISO - A Chief Information Security Officer (CISO) is a senior-level officer of the 
organization, responsible for Information and Cyber Security and data privacy of the 
organisation. 


13. ClO - Chief information officer (ClO), or Head of IT is responsible for digital initiatives of 
the organisation. 


14. CTO - Chief Technology Officer - CTO is responsible for Information and 
Communication Technologies (infrastructure) of an organisation. 


1.5 Human Resource Management 


Human Resource Management (HRM) is the management of personnel in an organisation. 
People are key resources to an organisation and are only living component among the other 
artefacts of the organisation. HRM performs various tasks related to personnel such as, 
recruitment, skills up gradation, promotion and retirement. The role of HRM in Information and 
Cyber Security is three-fold, as per ISO 27001, and is given below — 
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1. Prior to employment - Background checking of personnel before employment and 
defining functional and Information and Cyber Security related terms of employment 


2. During employment — Information Security awareness, education and training apart 
from functional training. Rewarding or penalising for security breach 


3. Termination or change of employment - Information Security related checks during exit 
of employees, terms and conditions in respect of Information Security shall continue 
after employee exit as well. 


1.6 Training & Education 


HR provides functional education and training for employees from time to time. Awareness 
and training about Information Security is also provided periodically. Employees can be 
trained in following different ways: 


1. Instructor led Training - Instructor-led training is the traditional type of employee 
training which takes pace in a classroom with a trainer in the role of a teacher. 


2. E-Learning - E-Learning is a on-demand Computer Based Training (CBT) given 
through videos, presentations, tests and various courses. 


3. Simulation based training - Simulation training is most often provided through a 
computer software or virtual reality device. Generally, this type of training is available for 
highly skilled sectors such as, aviation, energy and power. However, now-a-days, computer 
simulation training is also available in schools and colleges. In a simulation training, a 
computer simulation software depicts topics of the training as various scenarios and a student 
can easily learn with the help of the simulated scenarios. e.g. in Banking ATM simulators are 
available which graphically can allow a person to withdraw money as if s/he is using a real 
ATM machine. 


4. Hands on training - Hands-on training may be given as a next step to simulation 
training. In this training a student is given actual equipment or system, which can be used to 
become familiar. 


5. Coaching or mentoring - In coaching or mentoring, a trainer gives personal attention 
to students and guides them to enhance their skills. This is like grooming of a student in such 
a way that, the student can handle the work independently. 


6. | Group Discussions and Activities - In a group discussion-based training, a trainer 
gives a case study in the group of students and asks them to discuss the case in the group. 
The trainer observes the performance of the groups, analyses and guides them of better ways 
of solving the case. 


7. Role Playing - In Role playing training, a trainer assigns roles to students and by 
providing a real-life situation, asks them to perform these roles. Other students and the trainer 
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observe the role played and then discuss, deliberate and learn the subjects. 


8. Management Specific Activities - This training is for finding managerial and 
leadership qualities, behavioural skills, project management skills in students. 


9. Case studies - In this kind of training, a trainer discusses Case studies for problem- 
solving. This can be conducted in groups, as mentioned above or the trainer explains the case 
and solution to the students. 


1.7 Supply Chain Management (SCM) 


Supply Chain Management is the management of the entire chain of producing finished foods 
from raw materials. It involves managing suppliers or raw materials, equipment, work-force to 
the customers of the finished goods. 


Information System (IS) of an organisation provides the integration of areas such as Goods 
Receipt Notes (GRN), Stores Indents to Production, Delivery Challan, Despatch Slips. It also 
helps organisation in logistics arrangements and monitoring & goods tracking till final delivery 
to customers. Information Systems brought dramatic changes in the way in which SCM was 
managed prior to Information Systems. These are listed below — 


i. E-Commerce — buying and selling on through a web site 


ii. Electronic Data Interchange (EDI) - Electronic data exchange between suppliers, 
purchasers, bankers etc 


iii. | Barcode Scanning 

iv. Data Warehouse 

Vv. Enterprise Resource Planning (ERP) 

vi. Internet Technologies 

vii. | Mobile Communications 

viii. Payment Gateways 

ix.  Fin-Techs — Financial technology services for exchange of financial information 


xX. Software & Applications 


1.8 Customer Relationship Management (CRM) 


Organisations can do business because it has customers. Organisations deliver value to its’ 
customers through products and services. Customer Relationship Management helps in 
delivering this value by exacting customer needs regarding quality, price pre and post sales 
support etc. 
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In order to satisfy customer needs, Information Systems have done a substantial progress in 
CRM. Today, CRM can be provided with web sites, emails, mobile applications and so on. 
Information Systems help businesses to track customer orders, create customer profiles, allow 
customers to compare products and pricing, maintain customer history and provide other 
support services. 


There are various IS components of CRM, which dramatically changed today’s businesses 
and are listed below - 


i. E-Commerce 

ii. Data Warehouse 

iii. | Enterprise Resource Planning (ERP) 
V. Internet Technologies 

vi. Payment Gateways 

vii. Software & Applications 

viii. Data Mining 

ix. Artificial Intelligence 


xX. Business Analytics 


1.9 Issues and Challenges of Information Systems 
Management 


Due to diversity of organisations, Information Systems management is a challenging area. 
Following list of challenges can be seen — 


1. New Technology - It is found that, the technology is changing double fold every year 
whereas other business processes are relatively slower to changes. It is therefore necessary 
to keep abreast with changing technology and suitably upgrade organisation's processes. This 
is very challenging. 


2. Personal Devices — Due to portable and hand-held devices such as tablets and mobile 
phones, organisations find it difficult to control the use of such devices even if organisations 
provide these devices. 


3. Interoperability - New technologies provide the ease of operation and may increase 
the productivity, but at the same time imposes lot of challenges of managing interoperability 
with existing or legacy systems. 


4. User Systems - Users work in an organisation using Desktops, laptops, notebooks, 
tablets and smartphones, which are connected to IT infrastructure of the organisation. Security 
hazards such as data leakage, through alternative connectivity poses serious challenges to 
the organisation. 
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5. Cyber Security Threats - Cyber security threats in an organisation are due to following 
reasons - 


i. Weak security policies & procedures 

ii. Lack of standardisation 

iii. | Lack of proper controls 

iv. Lack of user training and user awareness about security 


6. Data Control - Now-a-days, growth in data in an organisation is tremendous. Managing 
this data growth poses the following hazards - 


i. Data Corruption 

i Data unavailability 
iii. Data leakage 

iv. Data Theft 

Vv. Data privacy 


To overcome these challenges proper cyber security measures such as Data Leakage 
Protection (DLP) solutions need to be implemented. Proper data backup and physical controls 
are necessary to protect the data. 


7. Trained manpower - Continuous changes in technology poses hurdles in getting 
trained manpower. Providing training on latest technology for work-force involves heavy costs 
and difficulties are also faced in retaining trained work-force. 


8. Management Support - Providing senior management support for monitoring and 
supervisory responsibilities also poses challenges for organisations. 


9. Service Level Agreements - Service level agreement is a measurable agreement 
between a service providing vendor and a service availing customer. There are various 
challenges that need to be looked into by both the parties such as clear scope of service, 
metrics measurement, responsibilities etc. 


10. Fourth Party Risk - Outsourced vendors further outsourcing to their vendors is known 
as fourth party outsourcing. Such fourth party outsourcing poses risks of data leakage, data 
privacy, non-compliance to the regulatory guidelines etc. 


1.10 Summary 


In this chapter, we discussed about Information Systems Management which involves 
application of people, technologies, and procedures collectively to solve business problems. 
We also learned that, organisations can be classified based on decision making, hierarchy and 
processes. 
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In the Information Service management, we went through IS Service Management (ISSM) 
implementation and management of IT services using ITILv4 to ensure that, IT services are 
aligned with business needs and actively support organization. We discussed IS policies, 
Procedures, Standards and guidelines for secure working on Information Systems. We also 
discussed various roles and responsibilities of employees in an organisation for the realisation 
for various processes. HRM has a role to play in Information Systems and security matters. 
Lastly, we discussed various issues and challenges in Information Systems management. 
References 
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1.11 Questions 
1. Which of the following is a common feature for all the policies? 

A. — Encryption 

B. Standards 

C. Acceptable use policy 

D. Process 
2. Which of the following is not an HRM function? 

A. — Recruitment 

B. Cyber security training 

C. Security Policy approval 

D. Appraisal 


3. Which of the following training an employee can acquire while working on his/her 
desk in the office? 


A. — E-learning 


B. Simulator based training 
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C. Instructor led training 
D. — Hands on training 
For an unexpected and sudden changes in technology, organisations need to be 


A. Innovative 


B. Agile 
C. Expert 
D.  Doer 


Who owns the data in a department? 

A. System owner 

B. Process owner 

C. Data custodian 

D. Data owner 

The GREATEST challenge in outsourcing data processing is 
A. — Data confidentiality 

B. Distance 

C. Data integrity 

D. Cost 


Which one of the following combinations of roles should be of GREATEST 
concern for the IS auditor? 


A. — Network administrators are responsible for quality assurance 
B. Security administrators are system programmers 

C. — End users are security administrators for critical applications 
D. Systems analysts are database administrators 


Accountability for the maintenance of appropriate security measures over 
information assets resides with: 


A. — Security administrator 
B Systems administrator 
C. Data and systems owners 
D 


Systems operations group 
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The decision-making environment of an operational level manager can be 
characterized as: 


A. — Structured 

B. Semi-structured 
C. Unstructured 

D. None of these 


Which department is MOST LIKELY to store Personally identifiable information 
(Pll) data? 


A. | Management 

B Information System Department 
C. Marketing Department 
D 


Human Resource Department 


1.12 Answers and Explanations 


1. 


The correct answer is C 


An Acceptable use policy is a set of rules applied by the owner, creator or administrator 
of a network, website, or service, that restrict the ways in which the network, website or 
system may be used and sets guidelines as to how it should be used. It must be abided 
by all employees of the organiztion. Choices A, B, and D are not common to all policies. 


The correct answer is C 


Approval of the Policy is responsibility of the Governing Board of the organization. All 
other options are the functions of the HRM. 


The correct answer is A 


E-learning is a learning environment which uses information and communication 
technologies (ICT's) as a platform for teaching and learning activities. Rest of the 
trainings require in person attendance and cannot be done from the office desk. 


The correct answer is B 


Agility is the organization's ability to quickly or proactively react to technological 
changes. Choices A, C, and D are based on the need of the organization and not 
necessarily due to change in technology or the environment in which the organization 
operates. 


The correct answer is D 
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The data owner has the ability to create, edit, modify, share and restrict access to the 
data. Data ownership also defines the data owner's ability to assign, share or surrender 
all of these privileges to a third party. The IT Department acts as the Data Custodian, 
responsible for the safe custody, transport, storage of the data and implementation of 
business rules. System Owner is a person or department having responsibility for the 
development, procurement, integration, modification, operation and maintenance, 
and/or final disposition of an information system. Process Owner is a person, who is 
accountable for the performance of the process and manages the process on a daily 
basis. 


The correct answer is A 


The main challenge while choosing outsourcing data processing is data confidentiality. 
Companies feel comfortable in sharing data, only with employees whom they trust or 
who are bounded by the contractual commitments to keep the data undisclosed. 
Majority of the outsourcing firms sign a strict non disclosure agreement with the 
companies which assures that the data would be kept confidential and any breach on 
the agreement would be punishable under the law. Choices B and D are advantages of 
outsourcing. Data integrity is the overall completeness, accuracy and consistency of 
data. Data integrity although very important but does not pose a greater challenge than 
data confidentiality. 


The correct answer is B 


When individuals serve multiple roles, this represents a separation of duties problem 
and is associated with risk. Security administrators should not be system programmers, 
due to the associated rights of both functions. A person with both security and 
programming rights could do almost anything on a system. The other combinations of 
roles are valid from a separation of duties perspective. Ideally, network administrators 
should not be responsible for quality assurance because they could approve their own 
work. However, that is not as serious as the combination of security and programming, 
which would allow nearly unlimited abuse of privilege. In some distributed 
environments, especially with small staffing levels, users may also manage security. 
While a database administrator is a very privileged position and it would not be in 
conflict with the role of a systems analyst. 


The correct answer is C 


Management should ensure that all information assets (data and systems) have an 
appointed owner who makes decisions about classification and access rights. System 
owners typically delegate day-to-day custodianship to the systems delivery / operations 
group and security responsibilities to a security administrator. Owners, however, remain 
accountable for the maintenance of appropriate security measures. 
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The correct answer is A 


Operational level manager is the lowest level of manager and engaged in day-to-day 
activities, which require detailed information. Hence the decision-making environment is 
required to be structured. For administrative and top management, the decision-making 
environment is semistructured and unstructed respectively. 


The correct answer is D 


Personally, identifiable information (PII) is any information about an individual that can 
be used to distinguish or trace an individual's identity, such as name, PAN, Aadhaar 
Number, date and place of birth, mother's maiden name, or biometric records. The HRM 
System stores Pll of all employee data. Choices A, B, C do not store or process 
employee personal information, they have operations or transaction data. 


Chapter 2 
Information Systems Operations 


Learning Objectives 


Operations management represents support for issues faced in day-to-day business. 
Information Systems Operations support is the support given to users. In this Chapter, 
students shall study topics such as Information Systems Operations, Management of IS 
operations, Asset Management, Change Management, Configuration Management, Version 
Control, Log Management, User Management, Operations Helpdesk & User Assistance and IS 
Operations Performance Measurement 


2.1. Information Systems Operations 


An operation is a procedure to set forth or produce a desired result. Operations totally depend 
on business and its objectives. Information systems Operations, in this regard are — 


i. Procurement of IT Systems 

ii. Service to the users 

ii. | Data Management 

iv. Server Administration 

Vv. Configuration Management 

vi Security Operations 

vii. | Log Management 

viii. Application and Operating System Support 


It is worth mentioning here that, IT function should be capable of, to handle the IT operations 
and be able to assess the user’s requirements. Seven areas of interest need to be met are - 


1. Availability of IT manpower 

Approved Policies, Standards, procedures and guidelines 
Mix of Domain and technical Experts 

Sustained training programs 

Cyber Security 


Data Privacy 


DO Or oR 6 BS 


Management support 
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2.2 Management of IS Operations 


Management of IS operations involves managing the operations of Information systems for 
Customers, managing IT Infrastructure (e.g. servers) and managing Computing Devices. This 
is depicted in Figure — 4.2.1. 


IT Infrastructure includes Data Centre operations, protecting Cabling infrastructure (electrical 
and network cabling), Telecommunication Network operations including Local Area Network 
(LAN), Wide Area Network (WAN), HVAC (Heating, ventilation & air conditioning of Data 
Centre), power systems, fire protection systems etc. 


Server operations management includes server administration, log management, user access 
management, data backup, Operating system management, application management, 
database management etc. 


User operations includes, providing service to the users, setting up helpdesk for password 
reset, email support, internet support, ERP support etc. User operations also include 
peripheral support such as support for printers, scanners, modems, wireless devices etc. 


Management of these three i.e. IT Infrastructure, Server operations and User operations 
provide following interfaces, detailed as follows- 


i. IT Infrastructure - Server operations Interface 

ii. IT Infrastructure - User operations Interface 

iii. | Server operations — User Interface 

iv. IT Infrastructure - Server operations — User operations Interface 


These above-mentioned interfaces, help IT department to properly manage the IT operations 
by segregating of these interfaces. 


Information Systems Operations 


IT 


Infractriictiira 


a *, 
7 7 
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Server User 
/ Operation / 


Figure 4.2.1: Constitution of IS Operations Management 


2.3 Asset Management 


Information Technology Infrastructure Library (ITIL), describes IT Asset Management as all 
components of the infrastructure and processes necessary for the effective management, 
control and protection of the hardware & software IT assets, within an organization, throughout 
all stages of their lifecycle. 


As the business processes of an organisation change over time, with the changes in internal 
and competitive external environment, IT infrastructure also requires to change. Augmentation 
of servers with installation of Operating system, Applications, Network infrastructure like 
cabling, Ethernet switches, Routers and cyber security equipment such as antivirus, firewall, 
IPS/IDS (Intrusion Protection System, Intrusion Detection System) and SIEM (Security 
Incident and Event Management System) tools etc are need to be done. 


For better monitoring and tracking of IT assets, it is very important for IT head and respective 
administrators to continuously scrutinise and supervise, various process requirements in the 
organisation. After scrutinising various process requirements, IT department has to take 
decisions as given below - 


i. Upgrading existing infrastructure 
ii. Phase out the legacy hardware or software 


iii. | Declare and dispose of E-Waste 
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iv. Procurement of new devices and software 
Vv. Licensing of software 
vi. | Development of software (either in-house or outsourced) 


IT asset management methodology — IT assets can be managed through the process of IT 
asset management as follows — 


i. With concept of Stores (Physcial or virtual) 


ii. Tracing system for assets (ee. g. using RFID (Radio Frequency Identification Device or 
Network Management System) 


iii. Policy for life of the equipment (e.g. for PCs 3 years, network infrastructure 5 years, 
cabling 10 years, security equipment 5 years etc) 


iv. Concept of check-in and check-out of an asset from asset inventory. 


Benefit of IT asset management - The benefits of having IT asset management are many as 
detailed follows — 


i. Proper risk assessment & management of assets is possible 
ii. Proper decision making is possible (e.g. when to dispose of) 
iii. | Asset tracking, monitoring and control 

iv. Dealing with asset lifecycle 

Vv. Accountability for Asset Acquisition 

vi. Proper audit is possible 


2.4 Change Management 


Managing Change is an important aspect of every organisation. With the changing business 
environment, it is necessary to either procure new hardware and/or software or make 
necessary changes to existing infrastructure for an organisation to continue its operations. 


IT department of the organization must be capable of effectively and efficiently handling 
changes. It is necessary for the IT department to manage changes with the following criteria - 


i. Minimum cost 
ii. Minimum business disruptions 
iii. | Good Quality 


Change management process - Change Management is the process (Figure -4.2.2) to 
control the deviation from the normal operations at the time of making changes any equipment 
or a process. If done correctly, Change Management results in efficient changes, with proper 
documentation and continued stability of operations. Change management process is as 
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follows — 


1. Request for Change (RFC) — Any change should be initiated through a Request for 
Change (RFC). Such request for change shall be done stepwise, with review and monitoring. 
Proper request with proper documentation with proper explanation related to what, why, how 
and by whom will have an effective Change Management Process. 


RF Categorization | 


Implement 
Chanae 


RFC Analysis 


——————————— 


Advisory 


change 
Prioritization 


Change Schedule Review 


Figure — 4.2.2: Change Management Process 


2. RFC Analysis - Purpose of RFC Analysis is to conduct initial scrutiny of the request, 
sent by the initiator, to check feasibility of the request. 


3. Change Prioritization — Based on the risk assessment, the change priority among the 
change requests is decided. This change priority list(portfolio of changes) is decided based on 
cost of change, time required to effect the change and resources needed, based on impact 
analysis. 


4. Categorize — Change Categorization is performed to categorize changes requested by 
different stakeholders in the following way — 


i. Type of Change required 

ii. Time when it should be done 

iii. | Cost of Change 

iv. | Resources needed (e.g. software, manpower) 
vi. Process affected 


5. Change Advisory Board (CAB) — RFC after analysis, prioritization and categorization 
is put forth for approval of Change Advisory Board (CAB). CAB is constituted from personnel 
different departments (general heads or seniors), along with IT and finance department. CAB 
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meets regularly for approval or rejection of the changes. 


6. Change Schedule - After the approval, the requested change is taken for the actual 
change based on the date and time of change. The schedule of change, depends on the 
following - 


i; Emergency 
ii. Urgent (priority basis) 
iii. | Normal 


7. Test Change - After the change is done, it should be tested in a test environment, 
before it is applied in the live system. The reasons for the need for such testing are as 
following - 


i To know impact of change - e.g. is there a performance degradation? 
ii. Compliance — does the change comply with original requirement? 
iii. Satisfaction of the change initiator 


8. Implementation — After the testing, the changes are implemented on the live system in 
the following manner - 


ki Immediately 
ii. Scheduled based on certain conditions 
iii. Partial immediate or scheduled partial based on certain conditions 


9. Review — After the implementation, the production environment needs to be put under 
observation for monitoring and any adverse effect, due to the applied change. This 
observation is done for the following — 


ie Logs — they may give important information about situation 
ii. System files 


iii. | Performance of the system 


2.5 Configuration Management 


Managing configuration of any computing device, software applications, security products, 
mobile or tablets, is the operational and physical characteristics as set forth in the operational 
and technical documentation of the product. When configuration of a device or software 
undergoes changes, a new release or version of the device or software comes into existence. 


Configuration management is planning, identifying, and managing the configuration with 
proper procedure and controlled changes, so as to maintain authenticity, accountability and 
integrity, throughout the life cycle of the hardware, firmware (in-built into hardware) or 
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software. 


To make configuration management successful, it is important for the organisation to 
implement following practices - 


i. Policy, Standards, Procedures and guidelines. 

ii. Formation of Change control board 

iii. | Documentation 

iv.  Pre-Launch Testing 

Vv. Proper training and skills upgradation of personnel 

vi. Timeliness 

vii. Clear Scope of Work 

viii. Optimisation 

Configuration management constraint - The constraints to the Configuration management 
are many, some of them are listed below — 

i. Non - availability of the skilled Resources or lack of training to IT manpower 
ii. Absence of Change control board 

iii. Either absence of Policy, procedure and guidelines or non-adherence to them 
iv. Poor Quality of the configuration 

Vv. Incomplete, poor or absence of scope of work 

vi. Delayed Responses 

vii. No pre-launch testing 

viii. No fund availability from the organisation 


Configuration management process - Configuration management process in an 
organisation is generally based on the industry best practice. Adherence to policies, 
standards, guidelines and procedures aligns the configuration management process with the 
objectives of IT department, which in turn is aligned to the objectives of the organisation. 


The configuration management process is explained as follows - 


1. Configuration Items (Cl) - IT department, along with data owners, identifies the 
Configuration Items required to be configured as per the Configuration Management Policy of 
the organisation. The following activities are performed by the IT department for the 
identification of Configuration Items — 
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i. Device and Software need to be configured 
ii. Present versions 

ii. | Test bed for testing configuration changes 
iv. Tools & Techniques 


2. Configuration Control (CC) - Configuration control is the term used throughout the 
lifecycle of any hardware or software configuration change management. Configuration control 
refers to the following — 


i. Description of Change/s 

ii. Approver authority 

ili. Resources, funds and prescribed downtime 
iv. | Change in Scope of work 

v. Quality Assurance 

vi. Time frame 


3. Configuration Status Accounting (CSA) - Configuration Status Accounting (CSA) is 
more about documentation and communication of information in forms of status report, needed 
to control and monitor configuration. 


Reports of changed configuration may be used for the following — 
i. Operations & Maintenance team 

ii. Security Operations Centre team 

iii. Information about latest version or configuration information 
iv. Project or Program Management Team 

Vv. Audit team 

vi. Software Developer and Software testing team 


4. Configuration Auditing - Configuration auditing is used to provide quality assurance 
for the configuration changes done. Auditing satisfies the respective stakeholders about the 
required operational, functional and physical characteristics. 


5. Locking the Configuration — Once the configuration is finalised, to avoid unauthorised 
changes, configuration can be locked. 


2.6 Version Control 


As discussed earlier, any change in the business environment forces IT team, to change the 
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configuration of software and/or hardware. In some organisations, such changes required may 
be very high, e.g. 10 to 15 changes in a week. As discussed earlier, this is effected through a 
Change Management process. Due to changes in hardware or software, a different release or 
version of the system is coming in existence. If the changes are quite frequent, such as 10 to 
15 changes a week, then it is necessary to keep track of the new releases or versions. This is 
done through Version Control. 


Characteristics and features of a version are — 
a. Version number 

b. Date 

C. Included and excluded features 


To track and control the version of a system, IT department uses Version Control System 
(VCS). VCS allows IT department, to keep track of version numbers and their release dates. 
VCS provides assistance to IT team with following - 


i. Repository of the contents 

ii. Record of Previous versions 

iii. | Provide access to older versions 

iv. Maintaining logs for accounting and details of changes 

Benefits of having a good version control system (VCS) are given below — 
1. Remote team coordination in development, is possible 
Improvement in Scalability (growth of system) 

Fast, Efficient and reliable 

Integrity in Version is maintained 

Improved Accountability 


Immutability (locking of version) 


a de 


Atomic Transactions (Atomic — lowest possible unit) 


2.7 Log Management 


A log is a record of the events generated from computer, peripherals, communication 
networks, firewall, IPS/IDS, UTMs etc. Logs provide the following details — 


i. Date of event 
ii. Time of Event 


iii. Details of the user responsible for the event 
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iv. Action details of the user 


Therefore, logs record all the actions of an event and review of logs can reveal very important 
information about the event. Audit logs are detective in nature and are mandatory for some 
organisations (e.g. banking sector) as per the Banking regulations. Log management involves 
the following activities - 


i. Identification of log events to be recorded (all events may not be recorded in logs) 
ii. Log collection — collecting events in a log file 

iii. | Log Aggregation 

iv. Storage of aggregated logs 


v. Analysis & Reporting 


2.8 User Management 


User management requires creating a user profile, user account setup, user account 
modification, account termination(suspension) and deleting a user profile on the Information 
system (IS) of the organisation. 


User profile lifecycle is depicted in (Figure — 4.2.3) 


User Profile | 


Account 
Setup 


User 
Management 


Deleting User 
Profile 


Account MA 4 Account 
Termination Modification 


Figure 4.2.3 User Profile Life cycle 


i. Creation of User profile - When an employee joins, HR department creates the 
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employee's user profile. After completing the necessary induction training in the department, 
the employee is assigned a role (for job responsibilities) by the head of the department. 


To perform the assigned role, the employee is given a computer (desktop or laptop) to work in 
the IT department. The employee logs into the system using his/her user ID as per the profile 
assigned. E.g. an employee joining as an Officer will be assigned “Officer” role whereas an 
employee joining as a “Manager” will be assigned a “Manager’” role. 


User profile contains following information such as — 
a. Name of the user 
b. Department 
C. Email address 
Intercom Number or Mobile number 


f. Active Directory (Active Directory is a Microsoft product on Windows Server to manage 
user and other services permissions and access to network resources) 


g. Computer name as per active directory 
ii. | User Account types —User account types are given below — 
a. User account 
b. Guest account 
C. Super user account 
Database account 


e. Network user account 


f. Network Directory account 
G: Internet Access account 
h. Email account 


i. Biometric Access account 
j. ERP or other application account 


User account information have the following information which is either in clear text or hashed 
(Hash - converting clear text into unreadable or scrambled text which cannot be read as a 
clear text. This is done by a software based on algorithms such as Secured Hashing Algorithm 
1 or 256 - Sha1 or Sha256), due to privacy and security requirements— 


a. User name 
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b. 
C. 
d. 


e. 


password 
Mobile number 
Department code 


Network/Cloud Drive associated with the account 


Benefits of User Management - Benefits of creation of user accounts are many, few are 


listed below — 

1) Improved User Management 

2) Improved Access Controls for a user 

3) Improved integration of various systems for a user 
4) — Optimised performance 

5) Improved Accountability 

6) — Improved Authenticity 

7) — Improved Authorization 

8) Helpdesk setup is easier - either online or offline 
9) — Improved Security 


Account Modification - Account modification may be requested by a user to IT 


department, through his/her user management. Depending upon the change of role of a user, 
transfer of an employee or promotion of an employee changes are required in the account 
profile. There are two types of account modification described as follows — 


1. 


iv. 


By the Administrative - Based on the request received from the user department 
administrator, modifies the account for the following information — 


a. Department code 

b. Authorisation 

C. Drive mapping 

d. — Transfer of account from one office location to another 


By the User - Based on the organisation’s policy or in some cases, at the discretion of 
the user, a user may change certain information related to his/her account as detailed 
below — 


a. Password 


b. Other demographic details such as contact address, mobile phone etc. However, 
this may further require to be approved by competent authority 


Account termination — A user Account is terminated by the IT department, only when 


the request is approved and sent by the Human Resource department and not by the 
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employee’s parent department. Account termination request sent by the Human Resource 
department for the employee is based on the following — 


a. — Termination of the employee 
b. Resignation of the employee 
C. Employee on Deputation 
Employee seriously ill and on long medical leave 
€. Death of the employee 


V. Deleting user profile - A User profile is deleted by the IT department on the request 
sent by the Human Resource department. Account termination request may be based on the 
following - 


a. — Termination of the employee 
b. Resignation of the employee 


C. Death of the employee 


2.9 Operation Helpdesk & User Assistance 


Help desk is a resource intensive function implemented by the IT department, to support users 
for using Information systems. IT department caters to users with various services such as — 


a. Email 
b. Internet 
C ERP 


Database Management System 
e. Active Directory 
f. PC Desktop and Peripherals 
g. Software 
h. Network 


When a user faces any hurdle pertaining to use IS systems, his/her first point of contact is 
helpdesk personnel. Help desk personnel can be contacted by the user in the following 
manners— 


a. Intercom 


b. Call Centre 
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C. Email 

d. Chatting 

e. Video Conferencing 

f. Messenger Chatting 

g. Physically attending the user 


Helpdesk personnel, help the user for various hurdles related to the Information systems and 
try to resolve them as given below — 


a. Password reset 
b. Software related issues 
C. Drive related issues 
Network related issues 
€. Database related issues 
f. Email related issues 
g. _ Internet related issues 
h. Hardware issues such as PC Desktop and Peripherals issue 


Effectiveness and efficiency of Helpdesk is important and is based on incident / problem 
resolving capacity of helpdesk personnel. 


Levels of Help desk support - There are following types of help desk support categories 
available, either through a call centre or in-house help desk facility - 


Level 0 Helpdesk - Mostly, Level 0 support is automated and self-service type of support, 
wherein a user can solve the problem him/herself. Self-services such password/s resetting fall 
in this category of help desk. 


Level 1 Helpdesk — Level 1 support is given for other basic services such as configuration 
changes, troubleshooting. Users can talk to helpdesk personnel related to issues such as 
password reset support, email support, internet support, DBMS support, ERP support and 
other application or software level support. If helpdesk personnel is unable to resolve the 
issue, then the issue is escalated to the next level i.e. Level 2. Level 1 support is considered 
as “first aid” support 


Level 2 Helpdesk — Level 2 support is provided by supervisory staff of Level 1 personnel, for 
escalated issues such as advance troubleshooting and installation of computing devices or 
software. Sometimes, users may be given support by taking remote access of user’s systems. 
Most of the user’s problems are solved at this level, however, if a user issue cannot be solved 
even at this level, then it is escalated to the next level i.e. Level 3. 
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Level 3 Helpdesk — Level 3 support is next level of advanced trouble shooting. If an incident 
is not solved and gets elevated to this level, it is considered as a “Problem” and resolution 
may require substantial changes to the system. Change management process may be invoked 
for this level of support. If the problem of a user is not resolved even at this level, then in such 
cases, help is required from the devices manufacturer or system developer. The issue is, then, 
escalated to Level 4. 


Level 4 Helpdesk - Level 4 support is generally given by the device manufacturer or system 
developer. If an issue has come to this level, it may be required to be resolved by launching a 
new release or version of the device or product. 


2.10 Operations Performance Measurement 


Measuring the operational performance is important to any organisation. Metrics are 
quantitative measurement for operational performance measurement. Some important 
operations performance metrics are as follows — 


1. Availability - Availability is the measurement of continued operation of Information 
System for a user. Mean Time Between Failure (MTBF) over a period of time is the metrics of 
IS system availability. It measures the system performance and serviceability to the users of 
an organisation. 


2. Incident — Incident is a deviation from the normal operations of an IS system. Any 
incident occurred, needs remedial action to restore back the operations of the IS system. The 
restoration time of the system, including incident period, is the measure of downtime of the 
system. 


3. Quality - Quality of an IS System is a measure of the intended performance in intended 
time at intended place 


4. Productivity - IS system productivity is a measure of rate of doing work of a resource 
such as a system or human resource. This needs to be measured in combination of quality. 


5. Return on Investment (ROI) - Return on Investment (ROI), measures the gain or loss 
generated on an investment relative to the amount of money invested. ROI is usually 
expressed as a percentage. 


6. Value Creation - If a system provides desired functioning, is cost effective with desired 
productivity and quality, then then the system is said to be creating a “value” for it’s users. 
Many organisations consider the value creation as an important parameter of progress of the 
organisation. 


2.11 Summary 


In this chapter, we discussed Information system operations and challenges faced by the 
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Information Technology department. We discussed various functions such as, Asset 
Management, Change Management, Configuration Management etc. We also discussed, 
importance of these functions and effects of lack of proper implementation of these functions. 
Effectiveness and efficiency of the Information Technology department is heavily dependent 
on these functions and measurement and continual improvement of these functions is 
necessary for value creation for an organisation. 
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2.12 Questions 


1. Why should organizations want to manage logs? 


A. To be informed when something unusual happens involving a system or 
application 


B. Tobe able to do take action in response to a security event 
C. To keep arecord of all the responses to security events 
D.  Allof the above 
2. | When implementing a log management progran, it's BEST to start with: 
A. — Technology from a trusted vendor 


B. The same program and process that organizations with similar business are 
using 


C. List of top-three vendors from a published report 
D. A careful review of the organization's log management and reporting needs 
3. The security principle of least privilege is: 


A. _ The practice of limiting permissions to the minimal level that will allow users to 
perform their jobs. 


B. — The practice of increasing permissions to a level that will allow users to perform 
their jobs and those of their supervisor. 


C. — The practice of limiting permissions to a level that will allow users to perform their 
jobs and those of their immediate colleagues. 
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D. — The practice of increasing permissions to a level that will allow users to use the 
cloud services of their choice in order to get their jobs done more quickly. 


Why does privilege creep pose a security risk? 
A. Users privileges don't match their job or role and responsibilities. 
B. Because with more privileges there are more responsibilities. 


C. Users have more privileges than they need and may use them to perform actions 
outside of their job description. 


D. Auditors may question about a mismatch between an individual's responsibilities 
and their privileges and access rights. 


Software Configuration management is the discipline for systematically 
controlling 


A. Changes due to the evolution of work products as the project progresses 
B. | The changes required due to defects being found which are to be fixed 
C. Changes necessary due to change in requirements 

D.  Allof the above 


Which of the following is the top priority that, companies planning to implement 
an asset management system should examine? 


A. — The visual appeal of websites, internal search pages and marketing collateral 
B. Number of videos, audio files and other multimedia assets available 

C. Specific data needs and the business problems to be solved 

D.  Allof the above 


Self-service assistance to users provided by help-desk such as resetting 
passwords etc. is considered which level of assistance? 


A. Level 4 
B. Level 0 
C. Level 2 
D. Level 1 


During development of a software system, which of the following will be used to 
maintain software integrity? 


A. — Configuration Management 
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B. — Version Control 

C. | Change Management 

D. None of the above 

Who of the following would approve or reject major changes in configuration? 
A. | Management 

B. | Change control board 

C. User 

D. System Administrator 


A transaction in a database management system should be atomic in nature. An 
Atomic Transaction is: 


A. Transaction should be submitted by a user 

B Transaction should be either completed or not completed at all 
C. — Transaction should fail 
D 


Transaction can be in-between fail and complete 


2.13 Answers and Explanations 


1. 


The correct answer is D 


Log management systems provide insight into a variety of incidents / issues with 
systems and devices, as well as being a compliance requirement under many 
regulations. For all of the above reasons, log management is a necessity for enterprise 
security. 


The correct answer is D 


Without understanding what logging capabilities, the organization has (or doesn't have) 
and what information is needed from those logs, it's impossible to implement an 
effective log management program. Choice A, B and C may help in selection of the 
vendor but are not the starting points. 


The correct answer is A 


The principle of least privilege is the practice of limiting access rights for users to the 
bare minimum permissions they need to perform their work. The users are granted 
permission to read, write or execute only the files or resources they need to do their 
jobs, or restricting access rights for applications, systems, processes and devices to 
only those permissions required to perform authorized activities. Enforcing least 
privilege plays a key role in limiting (containing) the damage that malicious users may 


34 


Information Systems Operations 


cause. Choice B, C and D do not indicate the principle of least privilege. 
The correct answer is C 


Auditors certainly will question if they find that users have greater privileges than they 
need to perform their jobs, but the real risk is that a disgruntled user could abuse their 
elevated privileges, so C is the right answer and not A, B and D. 


The correct answer is D 


Software Configuration Management is defined as a process to systematically manage, 
organize, and control the changes in the software programs, documents, codes, and 
other entities during the Software Development Life Cycle. Any change in the software 
configuration Items will affect the final product. Therefore, changes to configuration 
items need to be controlled and managed. Hence all the options are important. 


The correct answer is C 


Asset Management is a process used to keep track of the equipment and inventory vital 
to day-to-day operation of the business. Asset management requirements should be 
aligned with the business objectives. Choice A and B may assist in selection of an 
appropriate system based on the needs of the organization but are not top priority 
requirements. 


The correct answer is B 


Level 0, because it is self-service. Choice A, C and D are those, where help desk 
operator would help the user. 


The correct answer is B 
Version Control. Choice A and cCare steps before version control 
The correct answer is B 


Projects receive multiple change requests and these must be evaluated by the change 
control board. A change control board is a group of individuals responsible for reviewing 
and analyzing change requests and recommending or making decisions on requested 
changes to the baselined work. Poor change control can significantly impact the project 
in terms of scope, cost, time, risk, and benefits. Choice A, C and D do not have 
authority to approve or reject major changes. 


The correct answer is B 


Atomicity is either a complete transaction or a failed transaction. It does not permit 
transient stage or partially complete transactions. Choice A, C and D are not correct. 
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Chapter 3 
Software Operations & Management 


Learning Objectives 


In this chapter, students will learn about importance and functions of System Software, 
operating system, application software, data and database management system. Students will 
also learn about testing of software, what is meant by network services, what is meant by 
(software) patch management and about backup system. 


Basic understanding of all these systems and services is introduced, so that, as an IS Auditor, 
a student will not find difficulties in their application in conducting audits. 


3.1 Introduction to Software Infrastructure 
3.1.1 System Software 


System software is a set of computer programs that act as interface between hardware and 
users. System software is installed on a hardware so that other software and applications can 
run on the hardware. Operating System of a computer is also a class of system software. 
Refer Figure — 4.3.1 depicts layers of different software as installed on a computer. 


System Software Interfacing - Functions of a System Software can be given as follows — 


i. User - Application Software Interface — Application Software is the one which is used 
by a user — e.g. Tally. However, underlying this Application Software, is the System Software. 
Thus, System Software acts as an interface between user and the Application Software which 
the user is using. There are five main types of user interfaces - 


— Command Line Interpreter (CLI) where user can type a text command 


— Graphical User Interface (GUI) e.g. in Windows wherein a user can visually issue 
commands 
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Software 
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Hardware 
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Figure 4.3.1: Layers of Software between users and hardware 


ii. | Application Software - System Software Interface - Application software is a type of 
software which is used by an enduser for solving specific business purpose. The application 
software needs to be installed on the System software such as operating system (OS). E.g. 
Tally is an Application Software. 


System Software provides an Application Programming Interface (API) to the Application 
Software, by using which application software and system software communicate with each 
other. API provides interfaces to an application programmer, which are used in programs, so 
that, application software is able to “connect” to System Software. 


iii. System Software — Hardware Interface - System software is installed on hardware or 
on the mother board of a computer system (System Software installed on mother board is 
called as a “Firmware”). Firmware commands and controls CPU (Central Processing Unit) and 
memory of the system. Other System Software (which is installed on hard disk) organises, 
commands, controls and coordinates the activities of both hardware and application software. 


Various hardware peripherals like printers, scanners, USB hard drives, USB pen drives, 
photocopiers etc. are able to connect to operating system through system software using 
device driver software. This device driver software is also a system software, which drives the 
associated device. 


3.2 Operating System 


An operating system (OS) is a set of programs that control the execution of application 
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programs and act as an intermediary between a user of a computer and the computer 
hardware. OS is a type of system software, that manages computer hardware as well as 
providing an environment for application programs to run. Examples of operating system (OS) 
are as follows Windows, Unix, Linux, iOS etc 


The objectives of OS are as follows - 

e Process Management (Processor Management) 
e Memory Management 

° File Management 

e I/(O-System Management 

° Secondary storage Management 

° Networking 

° Protection System 


e Command-Interpreter System or GUI 


3.3 Application Software 


Application software is what a user wants to use for day-to-day activities in an organisation. 
When a user starts a computer system, operating system is loaded in RAM and it gives the 
user access through Command Line Interpreter (e.g. Unix, Linus) or GUI. User should have a 
user ID and password created in Operating System. User, then, proceeds to start (by double 
Clicking) Application Software, in which s/he wants to work, e.g. Tally. All the commands 
issued in application software are given to the underlying operating system, which completes 
the command on underlying hardware. 


In the figure 4.3.2 it is depicted that, various kinds of application software such as E-mail, 
Internet, MS office, ERP and tally, are installed on the operating system and through 
application program interface (API), all are communicating with underlying operating system 
(OS). Operating system (OS) is capable of running any application software for command and 
data. 


Types of Application Software 


Types of application software, depending upon it’s functions and how it has been acquired, 
are as follows —- 


a. Packaged Software — technical use - Sometimes this is referred to as Middle-ware 


e Transaction servers — e.g. MTS, COM+ 
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e Message queuing software 
e Databases — e.g. SQL Server, Oracle 


e Readymade web development platforms - e.g. IBM’s Web-sphere, Microsoft 
BizTalk, Joomla, Microsoft Sharepoint 


Packaged Software - Commerce - This type is generally used for routine office work 
of typing, calculations, etc. 


e MS Office, Open Office — for word processing, spreadsheet, presentations etc 
e Office collaboration software e.g. workflow etc 


Communication Software - Communication software is used by a user to 
communicate with others. Examples are Internet browser, Email software, chat software 
etc. 


Engineering Software — Engineering software such as Computer Aided Design (CAD), 
Computer Aided Manufacturing (CAM) etc which are used in Engineering. 


Internet 


a 
yy 


MS OFFICE 


ee — 


Figure 4.3.2: Application Software 
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e. Knowledge Software — Knowledge Management software to provide information 
processing such as Knowledge Management System (KMS), Expert System and 
Simulation Software etc. 


3.4 Software Testing 


To check the functionality of the software after the development, organisations conduct 
software testing. A team of software testers in an organisation, who perform software testing 
rigorously within a stipulated time-frame and generate defaults report for software 
development team. Software developers do not test their own programs (apart from Unit 
Testing). Other than the functionality, a Software Tester may also check the following — 


a. Whether Software meets Scope of work as per specifications 
b. Security related testing 
C. Check design of the software 
Check the performance of the software under specified conditions 
e. To identify errors or defects for early correction 


h. Check any deviations from specifications 


Software testing types 
Software testing types are as follows — 


1. Manual Testing: In this type, a Software Tester, tests the software by manually 
entering data, processing and checking the output generated. The tester performs these tests 
on a test site by preparing test cases and test data. Results of the test are documented and 
undesired functioning is informed to developers (e.g. defects, bugs, invalid cases etc) 


2. Automation Testing: In this type, a Software Tester uses a Test Software and submits 
test cases and test data to the software to be tested. Automation tools such as Selenium, HP- 
UFT and Ranorex etc. are available, to test a software. Automated testing is generally used 
for modern web-based systems and where manual testing is cumbersome. 


3. Hybrid Testing: In this type of testing, both manual and automated testing is carried 
out. Human perspective is tested during manual testing whereas automated testing tests 
manually cumbersome tests e.g. performance testing with large data. 


Software testing approaches 
Software testing approaches are as follows - 


1. White Box Testing: In this approach, a tester, who is knowledgeable about internal 
working of the software, performs the testing. The tester may perform Black Box testing to 


40 


Information Systems Operations 


start with, but since s/he is knowledgeable about internal working of the software, proceeds to 
White Box testing. 


2. Black Box Testing: Black box testing is a functional testing. It means that, tester does 
not know the internal structure of the software. Tester submits input to the software and 
expects specified output. S/he does not look “through” the software. 


3. Grey Box Testing: In Grey box testing, tester is partially knowledgeable about the 
internal structure of the software. S/he, therefore, performs both Black Box and to some extent 
White Box (not fully) testing. 


Software testing Levels 


Software testing levels, depending upon the development and subsequently testing (depicted 
in figure 4.3.3) are as follows — 


1. Unit Testing: Each program(unit) is tested in this type of testing. This is generally 
performed by the developer him/herself. 


2. Integration/Interface Testing: Individual program does not work in a stand-alone 
manner. It gets integrated or interfaced with other program/s. Interface or integration testing is 
testing programs which have been combined. Integration testing has three approaches 
described as follows - 


a. | Top Down Approach - Top level programs are tested first drilling to down-level 
programs 


b. Bottom Up Approach — Down level programs are tested first, drilling up to top level 
programs 


C. Sandwich Approach — Tester may start at top or bottom level and depending on 
situation move downward or upward 


3. System Testing: System testing, as the name suggests, is testing of a completed 
system or module. System testing is generally for technical performance, volume of data etc. 


Unit Integration System 


Testing Testina Testing 


Figure 4.3.3: Levels of Testing 


4. User Acceptance Testing (UAT): The user department, for which the software is 
developed, is given the software on a test site for user-level testing. User is the best person 
who knows various situations in business and day-to-day working. 
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3.5 Software Maintenance 


Software maintenance is any changes done to a software after it is in operation. Software 
maintenance is very important for an organisation. Business is not static and therefore 
software support it is also not static. Business changes with time to cater to new challenges, 
new laws, regulations, technology, personnel etc. Therefore, software also needs to be 
changed or maintained so as to suit new business needs. 


Software maintenance is required due to following reasons - 
1. Error corrections surfaced during day-to-day operations 
Alteration of Features and Functionalities 

Deletion of Features and Functionalities 


Software performance Optimization 


Sy SB -QsN 


Security patches updation 


Categories of maintenance 


Software has various category of maintenance. Following are the categories of software 
maintenance — 


1. Preventive Maintenance: Preventive maintenance is a proactive approach. Software 
developer may do preventive maintenance since they know design and/or programming level 
shortcomings. 


2. Corrective Maintenance: Corrective maintenance is reactive approach. When a defect 
or error arises in working of a software, corrective measure is taken by making changes to 
program/s. User department may face a down time in some situations. 


3. Adaptive Maintenance: Adaptability | making software suitable for new environment, 
especially, upgraded hardware and operating system. Software adapts to new environment 
due to this type of maintenance activity. 


4. Perfective Maintenance: Here again, it may be a proactive approach. Software 
developers on their own may keep on changing the software and releasing new versions for 
betterment of functionality and security. The following changes may be done as a perfective 
maintenance — 


a. Making alteration for betterment 
b. Fast processing 


C. Addition of features, 
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d. Portability 
e. Scalability 
f. Agile 


g. Well documentation 


F Security enhancement 


Software Maintenance Process 
Software Maintenance process, with detail step are as follows — 


1. Scope of Maintenance: It is better to collect and understand software maintenance 
requirements. The purpose of software maintenance may be preventive, corrective, adaptive 
and perfective. 


2. Plan of the Maintenance: User department along with IT department(in-house or 
outsourced) make a proposal for the maintenance activity. In this step, business impact of 
change, cost, time and resources needed are discussed and planned. Testing requirements 
are also specified in the plan. 


3. Software Maintenance: Before the activity of software maintenance, all respective 
stakeholders are informed about the maintenance schedule and expected window of 
downtime. As per the plan and proposal, software maintenance must be done within the 
specified time, cost and resources. Any delay or scope creep (additional scope) makes 
software maintenance activity unproductive to the organisation. 


4. Software testing: After maintenance is done software testing is performed. 


5. Go-Live: After successful maintenance and subsequently testing, the software is made 
“Go live” and available for user department and various stakeholders for day-to-day use. 


Challenges of Maintenance 
Organisations usually face the following challenges of software maintenance — 


1. Job Change: Due to high manpower turnover in software industry, software 
maintenance may become difficult, since the set of programmers who originally developed the 
software may not be available and new developers may take time to understand work done by 
original developers. 


2. Structure of the software: Software development is not a yet stable and structured 
similar to other industry (e.g. engineering, chemicals etc). This poses hurdles in maintenance 
because developed programs may be person(programmer)-dependent. 


3. Understanding of Scope of Work: If requirements gathering (of software) is not done 
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correctly and in an atomic (lowest possible level) manner with users, then software may not 
work as desired. Users start adding even some basic missing functionality features during 
maintenance phase. This poses problems in software maintenance. Software baselining 
should be done along with user department to avoid such situations. 


4. Scalability issue: Scalability of a software is it’s adaptability to growing requirements 
of business. It may be expected that, the software should be capable to expanding business 
and technical situations. E.g. faster or enhanced hardware 


3.6 DBMS - Database Management System 


Before DBMS, developers were required to deal with individual file in which data is stored. It 
was necessary to programmatically process data in these files. This was cumbersome, time 
consuming and error-prone. Program-data independence was not achieved. Technological 
progress in the area of software development led to Database Management System. Database 
Management System is discussed below. 


Data - Data is facts and figures about a situation. E.g. customer depositing money in a bank 
account. Here, customer details (account number, name etc), amount of money are the data 
items. This data needs to be processed with a program (processing instructions) to get 
meaningful information. 


Database - Database is a collection of data organised in such a way that, processing on the 
data is much easier. interrelated database stores users’ data, developers’ programs such as 
queries, reporting programs etc. There are different types of database management systems 
such as hierarchical, network, relational and object oriented. Out of these, currently, relational 
database management system RDBMS is most widely used. 


Relational Database Management System - RDBMS stores users’ data in tables of rows 
and columns. The tables can be related to each other with the help of common column/s. 
Therefore, it is called as “relational”. Different components of a RDBMS are: system data 
tables, user data tables, data input forms or web pages, queries, reports etc. Database 
Management System or DBMS can be depicted in simple diagram as shown in Figure - 4.3.4 


Some famous relational database management systems are Microsoft's Structured Query 
Language or MS-SQL, MySQL, Oracle DB Management, and PostgreSQL etc. 


Characteristics of RDBMS — A modern RDBMS has the following characteristics — 


1. Entity - An Entity may be a place, person, object, event or a concept. Entity has 
attribute/s. e.g. Person entity - employee, student, patient etc. Place entity - State, region, 
branch etc. Object entity - Machine, Building, Automobile etc. Event entity - Sale, Registration, 
Renewal etc. Concept entity - Account, Course, Work Centre, Desk etc. 
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User Application User Application 


Database 


Figure — 4.3.4 


2. | Schema - Schema is the organisation of data in a database. Schema is also the design 
of a database. Schema is of 3 types as follows — 


i. Physical Schema - The design of data stored in the database on a secondary storage 
is called as Physical Schema. 


ii. | Conceptual Schema - Conceptual schema is the logical design of the database into 
rows and columns. This conceptual schema is is mapped to the physical schema. This 
schema is used by database designers, DBAs and programmers in software 
development. 


iii. | External Schema — External schema is how a user views the database at user level. 
This schema is used to interact with the users. 


3. Tables - Database Management System uses table (Refer figure - 4.3.5) to arrange 
data of the database. Tables are also called relations. Table has rows and column. Each row 
represents a record, while each column represents field or attribute. Each record in the table 
has a definitive attribute and that is called tuple. 


45 


Background Material on Information Systems Audit 3.0 Course (Module 4) 


4. Relation - In RDBMS, relation is shown through one or more tables. 


5. Metadata — Metadata in RDBMS is data about data. It is similar to index of a book. e.g. 
In Fig 4.3.5, Student is a metadata and “Ajinkya” is data. Student column may have column 
length of 40 characters. Thus, metadata specifies how data is organised. 


Roleno Student Semester_1 Semester_2\ Columns 
1 Ajinkya 49 50 Rows 
2 Aadu 47 50 

Tuple 
3 Cherry 42 45 
Figure -4.3.5 


6. Keys - In an RDBMS, a Primary Key is column/s which can uniquely identify a 
record(tuple) in a database table. In figure - 4.3.5, attribute student cannot have uniqueness — 
there may be more than one Ajinkya. Therefore, we need an additional column as Roleno, 
which can be unique and becomes a Primary Key. help a DBMS user to uniquely identify 


Ajinkya with his marks. Similarly, refer Fig 4.3.6. Can you identify the Primary Key? 


.Employee No Employee Name Designation 
7322 Aadu GM 
5899 Shini GM 
7254 Ajinkya ED 
8944 Ajinkya ED 

Employee No Salary Age 
7322 15000 45 
5899 17500 52 
7254 20000 42 
8944 18750 49 

Figure -4.3.6 
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Important rules about a primary key are — 


i. No two rows have the same primary key. Primary key should be unique 


ii. Primary key cannot be null 


iii. If a link (referential link) is established referring to a primary key, in that case, primary 
key cannot be deleted or modified. 


b. Foreign Key — Foreign key is a column in a table which is the primary key of another 
table. This is for a “Referential Integrity” between the two tables. See Fig 4.3.6-a wherein, 
Employee Table and Department Table have referential integrity. Dept_Code column in 
Employee Table is the “foreign key” because it is the “primary key” of Department Table. Note 
that, employee number 7322 — Aadu and employee number 8944 - Ajinkya have the same 
department code 01 and therefore both are in HR dept. 


Employee_No Employee_Name Dept_Code 
7322 Aadu 01 
5899 Shini 02 
7254 Ajinkya 03 
8944 Ajinkya 01 

Dept_Code Dept_Name 
01 Human Resources 
02 Accounts 
03 Marketing 
04 Purchase 


Figure -4.3.6-a 


7. Isolation of data and application — Data isolation is possible in an RDBMS because 
the conceptual(logical) schema cannot be seen by database designer or DBA or programmer. 
It is internally mapped to physical schema by RDBMS software. 


8. Normalization — Normalisation Normalisation is a record-design technique developed 
by Dr Codd to avoid certain design anomalies. It is a process of breaking down a table into 
more tables until the other columns in the table are dependent only on the key/s columns of 


the table. 
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9. Transaction - A transaction is a unit of work done on a database. E.g. selecting a 
record from a database table is a “Select” transaction. Inserting a record in a table is an 
“Insert” transaction. 


10. ACID Properties - A transaction in a database should be designed in such a way that, 
it satisfies ACID property. A is Atomicity, C is Consistency, | is Isolation and D is Durability. 
This means that, when a programmer or DBA defines a transaction (such as Insert or Update), 
it should be defined in such a way that it will satisfy ACID. i.e. the transaction will be atomic 
(not divisible further), when completed it will keep the database in consistent state, it will be 
isolated while it is executing and it will be written on a persistent(permanent) storage such as 
secondary storage. ACID property is explained in detail below - 


i. Atomicity — as Atomicity means “Either a transaction is completed or not done at all’. 
@.g. each business transaction has one or more debit and one or more credit 
Transaction should be defined in such a way that both the debit/s and credit/s are 
completed or none takes place. 


ii. | Consistency - A database must be always in consistent state. If a transaction is done 
on a database, this consistent state should not be changed after the transaction is over. 
Therefore, transaction should be defined in such a way that it leaves the database in 
consistent state. 


iii. Isolation - RDBMS supports transactions of many users at the same time. Therefore, a 
transaction should be defined in such a way that, another transaction does not have 
effect on any other transaction. 


iv. Durability - Durability in RDBMS is about the longevity of the transactions. It means 
that, when a transaction is committed i.e. completed and saved, it is written to the 
persistent storage, which is secordary storage or hard disk. 


11. Data Integrity - Data Integrity in RDBMS can be maintained by programming various 
constraints applied to data which is entered or processed in RDBMS. e.g. a “check” constraint 
on age column can be set to 18 to 60 years, thereby allowing a user to enter data within this 
range only. 


12. Multiuser and Concurrent Access - Many users are working simultaneously on an 
RDBMS via application software. Therefore, many transactions are hitting RDBMS 
simultaneously or concurrently. Concurrency controls (such as ACID transactions) need to be 
ensured so that, transactions are properly updated in database tables. 


13. DBMS views - RDBMS allows developers to create views of the database tables. 
Developers ensure name dependent, content dependent and context dependent controls 
through views. E.g. a payroll clerk will be shown only employee details about salary but 
appraisal details will be hidden, whereas appraisal clerk will not be able to see salary but will 
be able to see appraisal details. This is done by using views. 
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14. Security - RDBMS provides various ways, through which security can be ensured. 
These are — 


I: Multiple views - for access controls or restricting access of user only to specific 
columns 


ii. Key Reference — uniqueness and referential integrity 

ii. | ACID Test — for ensuring using transactions in correct manner 

iv. Data Integrity 

Other related security controls which are important are given below — 

i. Strong and Multifactor authentication 

ii. Segregation of web server and RDBMS server 

iii. | Encrypted data in database 

iv. Use of Web application Firewall to restrict some attacks which are targeted at RDBMS 
Vv. Patching of RDBMS application regularly 

vi Audit logging of RDBMS 


Structured Query Language (SQL) —- Structured Query Language or SQL is a programming 
language of RDBM.S. 


Programmers use SQL and embed them in application programs. SQL commands work on 
RDBMS and can insert, update or delete record/s in RDBMS tables. Data can be fetched with 
the help of “Select” command. There are 3 components of SQL or RDBMS programming 
language. They are — Data Definition Language - DDL, Data Control Language DCL, Data 
Manipulation (i.e. changing data in official manner) Language - DML. E.g. 


DDL - Create table, Drop table, Alter table 


DCL — Grant access or Revoke access 


DML - 4 commands Insert, Update, Delete, Select records in a table 


Sequential Query Language (SQL) aaah: 


Front End Back end 


Database 


Figure 4.3.7 
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SQL is widely accepted and the most popular due to the following advantages - 


System Architecture - So far, we have discussed various components of a system. Let us 
see how they are linked to each other in today’s Information Technology. 


User is connected to web site which runs on a web server. This is known as front-end of the 
system. It is also known as Presentation Tier or Public facing tier. 


Web server is connected to an Application Server. This is known as Business Tier or Logic 
Tier. Application server processes users’ requests by taking input/s and data from database. 


Application Server is connected to a Database Server (generally, RDBMS), which stores all 
the data of users and even temporary data. 


Thus, today’s systems are 3-tier architecture system, unlike past trend of single tier or 2 tier 
architecture, as shown in the following Fig. Some bigger organisations may use additional 
tiers such as Transaction servers, message queuing servers etc, which are in between tiers. 
Therefore, sometimes, it is referred to as n-tier architecture. 


Presentation Tier 


Application Tier 


Database Tier 


Figure — 4.3.8 


3.7. Network Services 


A computer network is defined as interconnected computers. Interconnected computers can 
communicate to each other, can share resources such as printers, files etc. There are 
following types of Computer networks — 


i. Local Area Network (LAN) - connected computers in a room or a building 


ii. Wide Area Network (WAN) - connected computers in different geographic areas. 
Requires services of a network service provider. 
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iii. | Metropolitan Area Network (MAN) — Network of computers in a metropolitan area such 
as a city 


iv. Personal Area Network (PAN) — network of computers of a personal workspace 
Vv. Storage area Network (SAN) - For storing large amount of data 
vi. Virtual Private Network (VPN) 


Network Services - The Defence Advanced Research Projects Agency (DARPA) of USA 
designed and proposed Transmission Control Protocol/Internet Protocol. Open Standard 
Interconnect OSI of International Standards Organisation (ISO) is also another conceptual 
protocol which was proposed. TCP/IP protocol is given in the following. (Figure — 4.3.9) 


Application Laver 


Transport Layer 


Internet Layer 


Link Layer 


————————————————————————— al 


Figure — 4.3.9 


A user who is using an Application Software, submits his/her data to be sent to another 
connected computer. This data is taken and broken down into packets by the Application 
Layer of TCP/IP and moved downward through other layers, packet by packet. 


Application layer packets are taken by Transport Layer (TCP) and are sent to the next layer 
which is IP. TCP layer assures data delivery to the final receiver by taking acknowledgement 
of each data packet. 


Internet Layer (IP and other routing protocol) provides a correct path to the packets by routing 
them through network of devices such as switches, routers, servers etc. This is done by 
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sending data packets to next device’s IP address. However, before it packets can be sent to 
next device, IP gives the data packets to the Link Layer. 


Finally, the Link layer comes into picture when packets are sent on the wire. Link layer 
converts the packets into bits and puts them on wire (copper wire or fibre optic etc) or through 
air, by using Ethernet protocol. 


When packets finally reach the destination, they are assembled back into data and are given 
to the application software of the final receiver. The packets go through reverse journey from 
Link Layer to IP to TCP and then to Application Layer. 


Some known network services in an organisation are — 


1. Internet Services - Most of the organisations provide Internet services to their users 
through their web sites. The Internet setup in an organisation can be depicted as in the figure 
4.3.10. 


[LLL LALLA TTT TT 


Internet Server 


Network Address 
Translation (NAT) 


bic | ~—==—_ 
Router 


Private 
Address Address 


Figure 4.3.10 


Internet service in homes is usually through a broadband network. Service provider provides a 
broadband router and we can connect our devices (such as PCs, laptops, mobile phones) to 
Internet. In organisations, however, service provider provides leased telephone lines or MPLS 
(Multi Protocol Label Switching) lines through organisation users connect to Internet or 
application servers. 


2. DNS service —- When Internet was new, users were connecting t a web site by typing 
web site’s IP address in the browser. E.g. http://9.9.9.9. However, as Internet grew, it was 
difficult for users to remember IP addresses. Therefore, a DNS (Domain System Service) 
server was introduced, which stores in a database, name of all web sites and their respective 
IP addresses. When a user types a URL (Uniform Resource Locator) - e.g. 
http://anywebsite.com, then DNS server provides the IP address of the website and then 
browser connects to that IP address. 
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3. An E-mail service - Organisations reserve a domain name/s to launch a web site. This 
reservation of domain name and actually hosting a web site is generally done through a 
service provider. The Internet service provider also provides a domain for e-mail service. 
Organisations can take multiple e-mail domains and reserve specific domains for specific 
purpose. Employee are given a common domain, as per e-mail policy of the organisation. 


Email server is needs to be setup with smtp (Simple Mail Transfer Protocol) service for 
outgoing mails. IMAP (Internet Message Access Protocol) or POP3(Post Office Protocol 
version 3) can be used for incoming emails. Refer Figure - 4.3.11. 


IMAP hes 


SMTP KS) 
Server 
Webmail 
Figure - 4.3.11 


Users connect to email server and access their email through a client software such as 
Outlook. 


i. POP3 Client - POP3 client is Post Office Protocol used to receive incoming emails. In 
the POP3, when a user connects through a client software (such as Outlook) to mail 
server, the incoming mails are downloaded from the server. In this protocol, all the 
emails, once downloaded are deleted from the server. 


ii. | IMAP - IMAP client is based on Internet Message Access protocol. It is also used for 
incoming mails. Similar to POP3, a user connects through a client software to email 
server and downloads incoming mails. However, in this protocol, mails are retained on 
the server, even after they are downloaded. 


iii. ©Webmail — Webmail is for the email access over the internet browser. 


4. Web service - Organisations can establish integration of web application with another 
organisation. This is done through launching a web service with the help of API (Application 
Programming Interface). E.g. an aggregator for booking airline or railway reservation, 
establishes connectivity to all airlines and railway’s web sites through web services and API. 
Customers can connect to aggregators web site and book tickets rather than going to 
individual web site of airlines. 


5. Directory Services - When organisations need to control all the desktops, laptops or 
other computing devices, resources and provide proper authentication and security, they 
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implement directory services. Microsoft Active Directory, Sun Microsystem’s iPlanet Directory 
services and Novell’s eDirectory, are some popular solutions available for such controlled 
access. 


6. Print services — Print server runs print service to make a pool of network printers 
installed in the organisation. Print server allows authenticated users to connect, either by the 
print server itself or get authenticated by directory services. 


Print server installation enables an organisation to enforce printing policy for controlling 
printing to be done on various printers. Print server also provides monitoring of print jobs and 
provides statistics related to it. 


7. DBMS Service - DBMS or database management services is already discussed in 
section 3.6 of this chapter in detail. DBMS provides efficient and smooth process of data 
storage and retrieval. 


8. | Video Conferencing - Many organisations have established video conferencing 
facilities to connect and have video meetings for branches, regional offices with head office or 
corporate office, with senior management people. Travelling time and cost can be reduced 
substantially with the help of well organised video conferencing facility. With increasing 
bandwidth facilities, at reducing costs, provided by service providers and improved 
telecommunication technologies, video conferencing can be wide spread and can also be 
used by small and medium enterprises. 


3.8 Backup Strategies 


Backup system involves taking backup of data on to different media and storing the media at 
other safe separate geographic location/s. In case of need, when the primary data is not 
available, the backup data can be restored and used for regular operations in lieu of the 
primary data. 


Important Backup Considerations 


Following important backup considerations should be taken into account before establishing a 
backup (& restore) system — 


1. Backup Policy - Organisations should establish backup policy for guiding IT 
department and users. Backup policy will also enable IT department to manage the entire 
backup-restoration system with adequate resources. Policy should also define retention period 
of the backup data. After completion of the retention period, data should be destroyed safely 
and securely. To implement the policy, management needs to develop backup procedures as 
well. 


2. What to Backup - It is necessary to decide which data should be backed up. E.g. E- 
commerce data, financial data, employee’s data, email data, data of various applications, 
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system logs and system configuration files etc. are critical in nature and need to be backed up 
on priority basis. 


3. Backup Frequency — How frequently a backup should be taken, also needs to be 
defined. E.g. critical data may be backed up every day, every hour or immediately (known as 
mirroring of data). 


4. Backup Storage Location — Backup should be stored safely and securely preferably at 
a separate geographic location. Another copy of the backup can be kept near the primary site, 
so that if needed, it can be easily procured. 


5. Backup Retention Period -— Backup policy decides how long backup/s should be 
retained. After the retention period, the backup is either destroyed securely or it is archived 
and then destroyed securely. 


6. Testing - Backup needs to be tested regularly so that when needed it can be correctly 
restored. Organisations setup separate systems for restoring backup data and test it for 
correctness of restoration. 


7. Training - Not all data will be backed by IT Department. Users may have their 
important data stored in their laptops or desktops. It is the user's responsibility to backup this 
data. Therefore, adequate training must be provided to the users about backup policy and 
backup system. IT personnel also needs training on backup policy and backup procedures. 


8. Tape Control - Many organisations use magnetic tapes for backing up of data. Some 
large organisations have very high number of tapes and may require a tape library 
management system. This system allows automated tape backup, management and 
restoration of data on tapes. 


Backup methods 


Organisations use special backup software for taking and restoring backup of data. This 
software generally provides 4 types of backup methods, which are explained below — 


1. A full backup - Any backup strategy should start with a full or normal backup for the 
first backup. Full backup backs up all the data selected for backup. Many system 
administrators always take full backup of data as it is safer. However, taking full backup all the 
time has following drawbacks — 


i. Full back up consumes lot of storage on media. 

ii. Reduced disk life (due repeated overwriting) 

iii. Increased back up cost since many tapes are required 
iv. Longer time is required for full back up 


Vv. Inefficient method if there is a very small change in data 
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2. Incremental Backup — Incremental backup is backup of changes only done to the data. 
Every incremental backup is stored on the media as a separate data. Following figure 
illustrates incremental backup — 


To start with, full backup is taken on Monday. On subsequent days, only incremental backup is 
taken. Thus, we have, on backup media, 5 copies for each day plus full backup of Monday. If 
on next Monday, it is required to restore the backup, we will have to restore all these backups 
i.e. full backup plus incremental backup of Tuesday through Saturday. If any of the 
incremental backup or full backup is unavailable, we will not be able to restore the backup 


a Se>_ i” CL 
Tue Wed 


Thurs Fri Sat Sun 


Mon 
Full Back Incremental Incremental Incremental Incremental Incremental Full + 
up Incremental 
(M+Tut+W+Th+F+S) 
Figure - 4.3.12 


Incremental backup is the fastest of all the backup methods. 


3. Differential Backup —- In Differential backup, backup is taken of all the changes 
happened after the last full backup. It requires more time than incremental backup but less 
time than full backup. Differential backup example is given in figure — 4.3.13. 


me = 


Mon Tue Wed Thurs Fri Sat Sun 
Full Back Differential Differential Differential Differential Differential Full + 
up Differential 
(Mt+S) 
Figure 4.3.13 


Notice that, to start with, on Monday full backup is taken. On each subsequent day, a 
differential backup is taken. Unlike incremental backup, differential backup adds all previous 
backups while taking current backup. Thus, on Saturday, Tuesday to Saturday’s backup is 
taken on the media. If backup needs to be restored, first full backup and last differential 
backup will be required. 
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4. Virtual Full Backups - This type of backup is a synchronised backup, wherein first 
time a full backup is taken and subsequently whenever change takes place, the backup is 
synchronised for the changes. 


3.9 Patch Management 


A software patch is changes to existing application software, operating system or any other 
computer software to improve it for functionality, security, usability etc. 


Patch management is part of software maintenance involving the following - 
i. Acquiring the patch from vendor or vendor approved agency 

ii. Testing the patch on a test site 

iii. Installing the patch 

iv. | Reporting about the updation 

Vv. Audit of patch 


We shall se the detail of each in patch management process. 


Patch management characteristics 
Patch management should have the following characteristics — 


1. Sound Policy and Procedure - Organisations should have a Patch Management 
Policy for all types of software used in the organisation. 


2. Patch Scanner: Patch scanning software help to find out missing patches and generate 
a report for review, by IT team. Based on this report, IT team can decide about installing the 
patches. 


3. Efficient Patch Deployment: Patches need to be tested in a test environment before 
they can be applied on production site/s. Patching desktops and laptops can be done 
efficiently through Active Directory. 


4. Review & Report: Reports provide a comparison between patch scanner report and 
patch testing report. Review of these reports indicate benefits of patches installed. 


Benefit of Patching 
Patching helps achieving following benefits - 


1. Risk Mitigation - Patching mitigates security risks related to viruses, Trojans, and 
other security flaws which were inadvertently present in the software. Software developers are 
continuously improving their software for functionality, security, bugs removal etc. 
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2. Compliances to Standards - Updating software latest patches with is now becoming a 
compliance requirement, since more and more organisations are vulnerable to modern 
security hazards. 


3. Software Integrity - Patch management ensures integrity of the installed software or 
operating systems. 


4. System Productivity: Patch management improves productivity of a system, since it 
may incorporate new technology features. 


5. With Latest Features: Patch management improves usage of new features which are 
provided by software developers. 


3.10 Summary 


In this chapter, we discussed various types of software such as system software, application 
software and operating systems and their interfaces. 


We also discussed importance of software testing and different types of testing which are 
used in organisations. 


We discussed about Database Management System (DBMS), especially most commonly used 
RDBMS RDBMS is an important backbone of every computer system and we looked into a few 
details about RDBMS such as schemas, SQL commands etc. 


We then discussed today’s networking and linkage between users and software systems. 


In the end, we discussed about backup and patch management systems and their importance 
to organisations. 


References 

ISC2 - The International Information System Security Certification Consortium 
ISO 22301:2012 - Business Continuity Standard 

NIST — National Institute of Standards and Technology - USA 


ISACA - Information System Audit and Control Association - USA 
DISA Manual 2.0 


3.11 Questions 
1. The main focus of acceptance testing is 
A. — Ensuring that the system is acceptable to management 


B. Accepting errors & bugs in the system 
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C. — Ensuring that the system is acceptable to users 
D. — Ensuring that the system is acceptable to auditors 


Which of the following test would be carried out when, individual software 
modules are combined together as a group? 


A. Integration testing 
B. Unit testing 

C. System testing 

D. White box testing 


Which of the following should be reviewed to provide assurance of the database 
referential integrity 


A. _ Field definition 

B. Master table definition 
C. Composite keys 

D. Foreign key structure 


When evaluating the effectiveness and adequacy of a preventive computer 
maintenance program, which of the following would be considered to be MOST 
helpful to an IS Auditor? 


A. — Asystem downtime log 

B. — Vendors' reliability figures 

C. Regularly scheduled maintenance log 

D. Awritten preventive maintenance schedule 


In a relational DBMS a record refers to which of the following 


A.  Tuple 
B. Rows 
C. Column 


D. Transaction 


Which of the following will ensure that a column in one table will have a valid 
value or shall be “null” in another table’s column? 


A. — Primary key 
B. Secondary key 
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C. 
D. 


SQL 
Foreign key 


7. Database normalization is 


A. 
B. 
C. 
D. 


Data redundancy optimization 
Data logging and accountability 
Streamlining data process 


Deleting temporary files 


8. Which of the following is NOT a property of database transactions? 


A. 
B. 
C. 
D. 


Consistency 
Atomicity 
Insulation 


Durability 


9. After discovering a security vulnerability in a third-party application that 
interfaces with several external systems, a patch is applied to a significant 
number of modules. Which of the following tests should an IS auditor 


recommend? 
A. — Stress 

B. Black box 
C. Interface 
D. System 


10. An organization has recently installed a security patch, which crashed the 
production server. To minimize the probability of this occurring again, an IS 
auditor should: 


A. 


B 
C. 
D 


Apply the patch according to the patch's release notes. 
Ensure that a good change management process is in place. 
Thoroughly test the patch before sending it to production. 


Approve the patch after doing a risk assessment. 


3.12 Answers and Explanations 


1. The correct answer is C 
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Acceptance testing is a testing technique performed to determine whether or not the 
software system has met the requirement specifications. The main purpose of this test 
is to evaluate the system's compliance with the business requirements and verify if it is 
has met the required criteria for delivery to end users. Choices A, B and D are not the 
focus of acceptance testing. 


The correct answer is A 


Integration testing is a level of software testing where individual units are combined and 
tested as a group. The purpose of this level of testing is to expose faults in the 
interaction between integrated units. Option B is module testing, while C is complete 
system testing and Option D is testing of internal logic as well. 


The correct answer is D 


Referential integrity in a relational database refers to consistency between linked tables. 
Referential integrity is usually enforced by the combination of a primary key and a 
foreign key. For referential integrity to hold, any field in a table that is declared a foreign 
key should contain only values from a parent table’s primary key. Option A Field 
definitions describe the layout of the table, but are not directly related to referential 
integrity. Option B Master table definition describes the structure of the database, but is 
not directly related to referential integrity. Option C Composite keys describe how the 
keys are created, but are not directly related to referential integrity. 


The correct answer is A 


A system downtime log provides information regarding the effectiveness and adequacy 
of computer preventive maintenance programs. The log is a detective control, but 
because it is validating the effectiveness of the maintenance program, it is validating a 
preventive control. Option B Vendor's reliability figures are not an effective measure of 
a preventive maintenance program. Option C Reviewing the log is a good detective 
control to ensure that maintenance is being done; however, only the system downtime 
will indicate whether the preventive maintenance is actually working well. Option D A 
schedule is a good control to ensure that maintenance is scheduled and that no items 
are missed in the maintenance schedule; however, it is not a guarantee that the work is 
actually being done. 


The correct answer is A 


Tuple. Record is called tuple. Choice B, C and D does not represent a record. Choice B 
is many rows and not a single row. 


The correct answer is D 
Foreign key. Primary key does not represent relation, it is the same key in another table 
and represents relation with table where it is the primary key. 


61 


Background Material on Information Systems Audit 3.0 Course (Module 4) 


The correct answer is A 


Normalization is a database design technique that organizes tables in a manner that 
reduces redundancy and dependency of data. Normalization divides larger tables into 
smaller tables and links them using relationships. The purpose of Normalization is to 
eliminate redundant (useless) data and ensure data is stored logically. The main idea 
with this is that a table should be about a specific topic and only supporting topics 
included. By limiting a table to one purpose you reduce the number of duplicate data 
contained within your database. This eliminates some issues stemming from database 
modifications. 


The correct answer is C 


It is isolation not insulation. A transaction in a database should be designed in such a 
way that, it satisfies ACID property. A is Atomicity, C is Consistency, | is Isolation and 
D is Durability. This means that, when a programmer or DA defines a transaction (such 
as Insert or Update), it should be defined in such a way that it will satisfy the ACID test 
i.e. the transaction will be atomic (not divisible further), when completed it will keep the 
database in consistent state, it will be isolated while it is executing and it will be written 
on a persistent (permanent) storage such as secondary storage. 


The correct answer is D 


Given the extensiveness of the patch and its interfaces to external systems, system 
testing is most appropriate. System testing will test all the functionality and interfaces 
between modules. Option A Stress testing relates to capacity and availability and does 
not apply in these circumstances. Option B Black box testing would be performed on the 
individual modules, but the entire system should be tested because more than one 
module was changed. Option C Interface testing would test the interaction with external 
systems, but would not validate the performance of the changed system. 


The correct answer is B. 


An IS auditor must review the change management process, including patch 
management procedures, and verify that the process has adequate controls and make 
suggestions accordingly. The other choices are part of a good change management 
process but are not an IS auditor's responsibility. 
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Learning Objectives 


Students will learn about what is a normal working and what is an incident. Incidents may 
occur due to natural causes such as earthquake or man-made such as virus, cyber attack etc. 
Incident response and management is important so that they can be reduced in future. This 
chapter deals only with man-made incidences. 


We will learn what is Incident handling & response, how to build an effective Incident response 
capability, different phases of building Incident response capability, steps to build each phase 
of Incident response capability. Benefits of Incident response capability, Security Operations 
Centre, what are SIEM (Security Incident & Event Management) tools, deployment of SIEM 
tools and utility of SIEM tools. 

4.1 Incident Handling & Response 


An Incident is defined as a deviation from normal operation of a process. Normal operations 
may be hampered due to a natural cause or a man-made cause. We shall discuss only the 
man-made causes in this chapter. There are many incidents such as — 


i. Cyber attack by hackers 

ii. Breach in cyber security 

iii. | Attack on National Critical Infrastructure (IT enabled) 
iv. Virus or Malware induction 

Vv. Hacking & Advance Persistent threat 

vi Misconfiguration of System 

vii. Software malfunction 

viii. Human error in IT department 


The intensity of an incident can be judged by motive and timing of the incident. Human error, 
misconfiguration of a system, software malfunction etc are can be considered as the incidents 
due to manual errors and omissions during IS operations of the organisation. 


However, incidents such as virus, malware, hacking, cyber attacks etc are man-made 
purposeful incidents. These are done with a mala fide intention. 
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Organisations need to prepare themselves for handling and responding to these types of 
incidents in an efficient and consistence manner. Organisations need resources, planning and 
systematic preparation in this regard. Organisations usually face lot of challenges such as - 


1. Identification of IT assets are susceptible to cyber incident. 
Identification of an incident. 
Objective Analysis of incidents 


Need to scan through bulk of Information and logs 


2 

3 

4 

5. Criteria for zeroing on an incident 
6 Identification of IT assets actually damaged due to incident/s 
7 Identification of loss of data 

8 Tracing out the Source of incident 

9 Brainstorming for Modus Operandi 

10. Impact Analysis 

11. Forensic Investigation of incident and collecting evidence 


12. Fixing the responsibility 


Incident Response Process 


Incident Response requires proper planning and procedure. The process of Incident response 
is shown in Figure — 4.4.1 and is discussed as follows — 


1. Prepare — Preparation helps an organisation to recover in a decided time, lowering the 
impact of an incident and saving reputation of the organisation. Reputation risk can be 
considered one of the highest risks since it may lead to closure of the business. 


Preparation can be of the following types - 

1A. Administrative Preparation 

i. Incident policy, procedures, standards and guidelines should be established 
ii. Identification of the IT Assets which are critical to an organisation 

ii. Training for incident response team 

iv. | Awareness for employees 

vi. Impact Analysis 

vii | Knowledge of business 

viii. Brand value 
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ix. Political system of the country 


x. Laws & Regulations 


Preparatio 


Documentation Identification 


Follow up 


Recovery 


Eradication 


Figure -4.4.1 
1B. Technical Preparation 
i. Risk assessment and Risk Management 
ii. Data Classification 
ii. | Assessment of Confidentiality, Integrity and availability of Data 
iv. Technology Infrastructure 
Vv. Dependency on certain technology providers, developers etc 
vi. Controls 
vii. Possible vulnerabilities 
viii. Cyber Threats 
ix. Cyber security posture 


X. Possible source/s of threat/s 
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2. Identification - The organisation should identify an incident and then take action 
accordingly. Most organisations usually fail to properly identify incident/s and unnecessarily 
engage manpower and other resources. 


Challenges in incident identification are - 

i. Knowing that incident is happened or happening 

ii. Analysis of data (which may be large) associated with the incident 
iii. | Declaring an incident 

iv. Correctly describing details about the incident 


With skills, experience, tools and technology, this difficult task of identifying an incident can be 
handled by Incident Response Team. 


With Technology and other tools (which sometimes are in-built into the cyber security 
equipment and software), an Incident Response Team can do the following - 


a. Notice any suspicious events. Sometimes, with the help of outsourced support. 


b. Alerts are generated by SIEM (Security Incidents & Event Management System), DLP 
(Data Leakage Prevention), IPS/IDS (Intrusion Prevention System/ Intrusion Detection 
System) and firewall. 


C. Generate cyber-security Audit reports 

d. Resolve anomalies reported by SOC (Security Operations Centre) 

Incidents can be analysed as given below — 

iP Time of occurrence of an incident 

ii. How was it detected i.e. either by alert or by IT team or observing anomalies etc. 
iii. | What impact it is going to have on IT asset 

iv. Source of this incident 


3. Containment — After the identification of an incident and analysing the same, , the next 
job of incident response team shall be containment of the impact of the incident. This involves 
isolation of the victimised system and not allowing the incident to spread across many 
systems. This should be done promptly. Performance of incident response team can be 
judged by how quickly an incident is identified and contained by the team. 


Containment can be done in one or more of the following ways — 
i. Terminating all sessions of users logged in as well as other sessions 
ii. Blocking the source of incident 


66 


Incident Response and Management 


iii. | Block the Socket (Socket is entry point i.e. Ip address + porttcp) component of incident 
iv. | Changing of Administrator or root password 


4. Eradication —- After the containment of incident, another process which is important is 
eradication. Even after the containment, the infected system may still be active with malware 
and may spread to other systems. 


After containment and isolation of the infected system, eradication activities will start, 
consisting of - 


i. Marking of infected system 

ii. Disconnection from the network 

iii. | Copying logs manually to a USB drive 

iv.  Malware/Trojan/Bot etc need to be analysed 
v. Disable the infected accounts of Users 

vi. Disable carrier ports 

vii. Collect the evidence 

viii. Clean the system 

ix. | Re-Scan the system 


5. Recovery - After eradication process, the next step in incident response is recovery of 
systems, data, software and connectivity. In the recovery process incident response team has 
to assure that, the system performance shall be normal i.e. no deviation, all the risks are 
mitigated with necessary controls such as patching, antivirus updating, optimisation of ports 
and services. The following activities are done for the recovery process — 


ig Reconnection of the network of the isolated system 
ii. All controls restored 

iii. | Re-Loading Operating system, applications, antivirus 
iv.  Re-configuring the part of the infected system 

V. Infected files/folders need to be replaced 

vi. All disabled accounts of users need to be restored 
vii. All logs are directed to SOC again 

vill. Check the integrity of the system 


ix. Scan the system 
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6. Follow up — Follow up after recovery is an important process for necessary due 
diligence. Incident response team of the organisation preserves the evidence (with proper 
integrity) for the follow up activities such as - 


i. Conducting the root cause analysis 

ii. Search for the culprit person/s or organisation/s or country/s 
ii. Investigation 

iv. Legal action, if required 

Vv. Damage control for reputation restoration 

vi. Trend analysis of the incident 


7. Lessons learnt - Documenting the lessons learnt about the incident is a post-facto 
activity. Learnings can be incorporated in the system and security policies, procedures and 
guidelines. 


8. Documentation — Incidents should be documented with the inputs received, evidences 
collected, facts, figures, lessons learnt etc. Documentation also mentions the reports prepared 
of the incident response. 


Benefits of Incident Management 

The following benefits can be highlighted, for Incident Management - 
i. Immediate response ensures quick resolution of the incident 

ii. Minimising impact of incident/s 

iii. | Keeping intact the Reputation of the organisation 

iv. Avoiding damage to Brand Image 

Vv. Confidence of the investors / stakeholders 


vi. Business continuity 


4.2 Cyber-Security Framework 


Increasing dependence on cyber space, has also increased security hazards for the 
businesses using cyber space for initiating all business transactions, including payments via 
banks and financial institutions. However, cyber space is not controlled, like physical world 
and therefore, cyber hazards have much more ramifications than earlier physical world or 
even non-cyber usage of computers (i.e. using computers without Internet). 


Therefore, it is becoming necessary for organisations to have a better cyber security and the 
starting point is Cyber Security Framework. Frameworks help in common understanding of all 
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concerned. Therefore, many regulators in India, especially banking sector regulator like 
Reserve Bank of India (RBI) and Govt of India have initiated providing guidelines for 
developing Cyber Security Framework for various organisations. 


India’s National Security Policy 2013 - The National Cyber-Security Policy 2013 was 
released on July 2, 2013 by the Government of India. Some of the important parts of the policy 
are mentioned here from the policy itself. 


Policy Objectives 


1. 


To create a secure cyber ecosystem in the country, generate adequate trust & 
confidence in IT systems and transactions in cyberspace and thereby enhance adoption 
of IT in all sectors of the economy. 


To create an assurance framework for design of security policies and for promotion and 
enabling actions for compliance to global security standards and best practices by way 
of conformity assessment (product, process, technology & people). 


To strengthen the Regulatory framework for ensuring a Secure Cyberspace ecosystem. 


To enhance and create at National and Sectoral level, a 24 x 7 mechanism for obtaining 
strategic information regarding threats to ICT (Information and Communication 
Technology) infrastructure, creating scenarios for response, resolution and crisis 
management through effective predictive, preventive, protective, response and recovery 
actions. 


To enhance the protection and resilience of Nation's critical information infrastructure by 
operating a 24x7 National Critical information Infrastructure Protection Centre (NCIIPC) 
and mandating security practices related to the design, acquisition, development, use 
and operation of information resources. 


To develop suitable indigenous security technologies through frontier technology 
research, solution-oriented research, proof of concept, pilot development, transition, 
diffusion and commercialisation leading to widespread deployment of secure ICT 
products / processes in general and specifically for addressing National Security 
requirements. 


To improve visibility of the integrity of ICT products and services by establishing 
infrastructure for testing & validation of security of such products. 


To create a workforce of 500,000 professionals skilled in cyber security in the next 5 
years through capacity building, skill development and training. 


To provide fiscal benefits to businesses for adoption of standard security practices and 
processes. 
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10. 


14. 


To enable protection of information while in process, handling, storage & transit so as to 
safeguard privacy of citizen's data and for reducing economic losses due to cyber-crime 
or data theft. 


To enable effective prevention, investigation and prosecution of cyber-crime and 
enhancement of law enforcement capabilities through appropriate legislative 
intervention. 


To create a culture of cyber security and privacy enabling responsible user behaviour & 
actions through an effective communication and promotion strategy. 


To develop effective public private partnerships and collaborative engagements through 
technical and operational cooperation and contribution for enhancing the security of 
cyberspace. 


To enhance global cooperation by promoting shared understanding and leveraging 
relationships for furthering the cause of security of cyberspace. 


Strategies 


1. 


To designate a National nodal agency to coordinate all matters related to cyber security 
in the country, with clearly defined roles & responsibilities. 


To encourage all organizations, private and public to designate a member of senior 
management, as Chief Information Security Officer (CISO), responsible for cyber 
security efforts and initiatives. 


To encourage all organizations to develop information security policies duly integrated 
with their business plans and implement such policies as per international best 
practices. Such policies should include establishing standards and mechanisms for 
secure information flow (while in process, handling, storage & transit), crisis 
management plan, proactive security posture assessment and forensically enabled 
information infrastructure. 


To ensure that all organizations earmark a specific budget for implementing cyber 
security initiatives and for meeting emergency response arising out of cyber incidents. 


To provide fiscal schemes and incentives to encourage entities to install, strengthen 
and upgrade information infrastructure with respect to cyber security. 


To prevent occurrence and recurrence of cyber incidents by way of incentives for 
technology development, cyber security compliance and proactive actions. 


To establish a mechanism for sharing information and for identifying and responding to 
cyber security incidents and for cooperation in restoration efforts. 


To encourage entities to adopt guidelines for procurement of trustworthy ICT products 
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and provide for procurement of indigenously manufactured ICT products that have 
security implications. 


To promote adoption of global best practices in information security and compliance 
and thereby enhance cyber security posture. 


To create infrastructure for conformity assessment and certification of compliance to 
cyber security best practices, standards and guidelines (Eg. ISO 27001 ISMS 
certification, IS system audits, Penetration testing / Vulnerability assessment, 
application security testing, web security testing). 


To enable implementation of global security best practices in formal risk assessment 
and risk management processes, business continuity management and cyber crisis 
management plan by all entities within Government and in critical sectors, to reduce the 
risk of disruption and improve the security posture. 


To create National level systems, processes, structures and mechanisms to generate 
necessary situational scenario of existing and potential cyber security threats and 
enable timely information sharing for proactive, preventive and protective actions by 
individual entities. 


To operate a 24x7 National Level Computer Emergency Response Team (CERT-In) to 
function as a Nodal Agency for coordination of all efforts for cyber security emergency 
response and crisis management. CERT-In will function as an umbrella organization in 
enabling creation and operationalization of sectorial CERTs as well as facilitating 
communication and coordination actions in dealing with cyber crisis situations. 


To operationalize 24x7 sectorial CERTs for all coordination and communication actions 
within the respective sectors for effective incidence response & resolution and cyber 
crisis management. 


To implement Cyber Crisis Management Plan for dealing with cyber related incidents 
impacting critical national processes or endangering public safety and security of the 
Nation, by way of well-coordinated, multi-disciplinary approach at the National, Sectoral 
as well as entity levels. 


To conduct and facilitate regular cyber security drills & exercises at National, sectoral 
and entity levels to enable assessment of the security posture and level of emergency 
preparedness in resisting and dealing with cyber security incidents. 


To mandate implementation of global security best practices, business continuity 
management and cyber crisis management plan for all e-Governance initiatives in the 
country, to reduce the risk of disruption and improve the security posture. 


To encourage wider usage of Public Key Infrastructure (PKI) within Government for 
trusted communication and transactions. 
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19. To engage information security professionals / organisations to assist e-Governance 
initiatives and ensure conformance to security best practices. 


4.2.1 Security Operation Centre (SOC) 


A Security Operations Centre (SOC) is developed by an organisation to continuously monitor, 
detect, alert and respond to a cyber-security incident using a team of cyber security experts, 
deploy cyber security tools and sophisticated countermeasures. A typical SOC is shown in 
Figure - 4.4.2 


Security Operation Centre (SOC) is a continuous operation and it functions 24x7 to monitor, 
detect, alert and respond to all the activities of IS Infrastructure like Servers, Computers, 
Databases, applications and network equipment like router, switches, controllers etc. 


Security Operations Centre (SOC) operations and performance is based on logs collected, 
which are generated by an organisation’s IS Infrastructure such as Servers, Computers, 
Databases, applications and network equipment such as routers, switches, controllers etc. 
Help of external agencies can also be sought by SOC. 


Logs and external cyber intelligence knowledge (e.g. 


Cert-in - Cyber Emergency Response Team - India, which is affiliated to worldwide Cert) are 
collected and after processing are sent to tools such as Log Analysers, Network Analysers, 
Malware Analysers, Forensic Analysers, Cryptosystems and reverse engineering systems for 
further analysis. 


In the Figure - 4.4.2, IS infrastructure includes PCs/Desktop, Servers, Databases, Applications 
and network equipment like router, switches, controllers etc. All these equipments have ability 
of generating logs of activities taking place on these equipments. 


All the logs (which may be in different details and different formats) are correlated in an SIEM 
tool. We shall describe SIEM system in section 4.3 of this chapter. 
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Extemal Intelligence 


Figure — 4.4.2 


A 24x7 monitoring team gets alerts generated by SIEM tool. The monitoring team checks 
these alerts, with pre-set criteria for any deviation. If the monitoring team finds alerts qualify as 
an incident, then, it declares the alert as an incident. The declared incident is sent to the 
incident response team for further action, as mentioned in earlier. 


A copy of incidents is also sent to team of investigators, who are “deep diving” in these 
incidents. After completion of the investigation, investigators provide inputs to the cyber- 
security team of the organisation for further action. 
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SOC Characteristics 


A professionally managed SOC must provide real time alerts and data for investigation, to 
make organisation’s security posture current and relevant. A good SOC may have the 
following the following characteristics - 


i. Policy, Standards and Guidelines — Organisation must have a sound policy related to 
the SOC and its activities. A good policy provides various suggestive steps for monitoring 
teams and investigators. 


ii. | Top management support - SOC requires top management support and leadership 
accountability by the top management. Top management should provide continuous support in 
terms of investment, resources and people to the SOC. Top management should have SOC in 
board meeting’s agenda. Top management should have a meeting at least once in a Quarter 
with CISO (Chief Information Security Officer). 


iii. Investment - SOC requires adequate investment, for 24x7 operations and performs 
sophisticated security related operations. Investment may be for purchasing equipment, 
devices, software etc (Capex) and day-to-day operational expenditure (Opex). Monthly or 
yearly subscriptions to external intelligence knowledge-base and AMC cost of the equipment 
needs to be considered for budgetary provisions. 


iv. People —- SOC requires two levels of employees. Level1 may be required in large 
numbers working in shifts. They will be monitoring 24x7 with pre-set criteria of deviation to 
identify and declare an alert as an incident. 


Level 2 is of investigators, who will be doing deep analysis of alerts and incidents to find the 
root cause of incidents and provide inputs to the cyber security team. This team should have 
specialised skills in analysis and must be kept abreast about current security hazards and 
resolution. 


V. Process & Procedures - It is very important to have documented proper procedures 
and guidelines for speedy identification and resolution of cyber security incidents. Processes 
and procedures will be for start to end for Cyber Security Incident Management. 


vi. Technology — With reference to figure-4.4.2, technology plays important role in 
operations of SOC for Log Analysis, Network Analysis, Malware Analysis, Forensic Analysis, 
Cryptosystems, signature database updates, packet filtering, packet inspection, data analytics 
and reverse engineering systems. 


Augmentation of technology is not a straight forward process and it takes the following steps 
to acquire correct technology — 


1. Preparing specifications for technology by SOC team 


2. Discussions with various Vendors 
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Getting POCs (Proof of Concept) from vendors 
Preparation of Feasibility study report) by SOC team 


3 
4 
5. Getting quotations/tenders from Vendors based on RFP 
6 Initiating procurement process 

8 Finalising vendor 

9 PO (Purchase order) to vendor and getting confirmation 

10. Signing Contract with vendor 

11. Implementation of Technology by SOC team along with vendor experts 

12. Training provided by vendor to SOC 

Usually it takes about 3 months to acquire a technology for the SOC after floating of RFP. 


vii. Environment - Objectives of the SOC must be understood by SOC team, IT team and 
cyber security team. Similarly, objectives of the SOC should align with business objectives. 
Refer figure 4.4.3 


IS SOC 


Result 


Figure 4.4.3 


IS infrastructure, processes, people etc provide inputs to SOC operations, while reporting and 
deep analysis by SOC provides valuable inputs to IS infrastructure. 


viii. Analytics & Reporting - Today's SOCs have to handle enormous data and establish 
correlations in data so that a security incident can be identified and treated. 


SOC can also use data analytics to create insightful metrics and performance measures. It 
can use some metrics to facilitate operational improvements internally, while management can 
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use others, to make more informed decisions for balancing the trade-offs between cost and 
risks. Thus, a thoughtful metrics and reporting framework can add value beyond mere security 
matters, helping business to achieve business objectives with the help of IT and cyber space. 


ix. Physical Controls - SOC should also have general physical controls as well as some 
specific physical controls. SOC, usually does not share the space with IT department or Data 
Centre. SOCs are augmented with a different physical space with no sign boards of the 
organisation. All necessary devices, equipment, hardware, software and team members are 
not shared with IT department and Data Centre teams for low latency in response and working 
in a closed environment. 


x. Continuous Improvement - SOC is always under continuous monitoring of the 
organisation for the necessary improvements in the following areas 


a. Performance — in terms of identification of incidents and their speedy resolution 
b. Efficiency - maximum benefits with optimum cost 

C. People 

d. _—- Tools 

e. Technology 

f. Budget 

Following actions should be taken for continuous improvement of SOC - 

ar Periodic assessment of upgrading skills 

360-degree feedback of SOC from various stakeholders 

Lessons learned by SOC team after every incident 


Augmentation of new technology as per need 


SV ee 


Budget provisions as needed 


6. | Top management support 


4.2.2 Computer Emergency Response Team (CERT) 


A Computer Emergency Response Team (CERT) is a team of experts in an organisation, 
industry, state or country, that is used to monitor alerts and declare incidents. CERT is also 
termed as Computer Emergency Readiness Team and Computer Security Incident Response 
Team (CSIRT). 


After a worm hit the USA industry in 1988, the Carnegie Mellon University (CMU), in 
association with US government, started a centre in the university premises for management 
of cyber incidents. The centre was named as Computer Emergency Response Team - 
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Coordination Centre (CERT-CC). All countries in world should take copyright permission from 
CERT-CC to open CERT in their country. For India it is CERT-In 


Government of India, also emphasises the importance of cyber-security in the country and has 
started CERT-In, which was operational in January 2004. CERT-in handles incidents within 
India and reports for further action to main Cert. Every government, non-government, private 
establishment should report incidents to CERT-in, so that, country develops a security posture 
database and these incidents can be shared with all organisations, not only within India, but to 
the entire world through CERT-CC. CERT-In, has been empowered through IT act 2008, for 
the incident management in India. The section 70B of the IT Act 2008, is detailed as follows - 


70 B Indian Computer Emergency Response Team to serve as national agency for 
incident response 


(1) |The Central Government shall, by notification in the Official Gazette, appoint an agency 
of the government to be called the Indian Computer Emergency Response Team. 


(2) |The Central Government shall provide the agency referred to in sub-section (1) with a 
Director General and such other officers and employees as may be prescribed. 


(3) | The salary and allowances and terms and conditions of the Director General and other 
officers and employees shall be such as may be prescribed. 


(4) The Indian Computer Emergency Response Team shall serve as the national agency 
for performing the following functions in the area of Cyber Security, - 


(a) collection, analysis and dissemination of information on cyber incidents (b) forecast 
and alerts of cyber security incidents (c) emergency measures for handling cyber 
security incidents (d) Coordination of cyber incidents response activities (e) issue 
guidelines, advisories, vulnerability notes and white papers relating to information 
security practices, procedures, prevention, response and reporting of cyber incidents (f) 
such other functions relating to cyber security as may be prescribed 


(5) The manner of performing functions and duties of the agency referred to in sub-section 
(1) shall be such as may be prescribed. 


(6) For carrying out the provisions of sub-section (4), the agency referred to in sub-section 
(1) may call for information and give direction to the service providers, intermediaries, 
data centres, body corporate and any other person 


(7) | Any service provider, intermediaries, data centres, body corporate or person who fails 
to provide the information called for or comply with the direction under sub-section (6), 
shall be punishable with imprisonment for a term which may extend to one year or with 
fine which may extend to one lakh rupees or with both. 


(8) | No Court shall take cognizance of any offence under this section, except on a complaint 
made by an officer authorized in this behalf by the agency referred to in sub-section (1) 
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4,.2.3lndian Banks - Centre for Analysis of Risks and Threat (IB-CART) 


As discussed above, after CERT-In most of the organisations and financial sector also started 
their CERT and started to report incidents to CERT-in. Banking sector CERT is started with 
same functioning of USA ISAC (Information Sharing and Analysis Center). Some important 
points from IB-CART are given below - 


The Reserve Bank of India's Working Group on Information Security, Electronic Banking, 
Technology Risk Management and Cyber Frauds states that "there is a need for a system of 
information sharing akin to the functions performed by the Financial Services Information 
Sharing Agency (FS-ISAC) in the US" and recommended that IDRBT set up a body like the 
FS-ISAC that can enable the sharing of security events amongst banks. 


Simultaneously, the National Security Council Secretariat also wanted such centres to be set 
up in various critical sectors. As banks were well ahead in implementing information security 
and IDRBT had already set up a CISO Forum for banks, the task of setting up this body for 
information sharing was entrusted to IDRBT. 


Accordingly, IDRBT has established the Indian Banks — Centre for Analysis of Risks and 
Threats (IB-CART) in March 2014. This is the first such centre for the country and has become 
a model for other critical sectors. The key objectives of the IB-CART are: 


— To disseminate and foster the sharing of relevant and actionable threat information 
among members to ensure the continued public confidence in the banking sector. IB- 
CART will share and disseminate information associated with physical and cyber events 
(incidents / threats / vulnerabilities) and resolution or solutions associated with the 
bank's critical infrastructures and technologies. 


— Utilise the sectors' resources (people, process, and technology) to aid the entire sector 
with situational awareness and advance warning of new physical and cyber security 
events and challenges. 


— Enable infrastructure that enables anonymity and security while capturing and 
disseminating information. 


— Conduct research and intelligence gathering to alert the members of evolving or existing 
events 


— Support the development of content that is posted to the IB-CART database, advice on 
mitigation steps or best practices to members 


— Facilitate cross sector information exchange. 


Since its establishment, the IB-CART has played a pivotal role in creating a platform to 

develop safety nets to contain(limit) cyber-attacks. It has been constantly engaging with the IT 

executives of banks to resolve security concerns of the banking sector. The IB-CART team 
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also performs cyber drills regularly to help banks strengthen their incident management 
process. 


The IB-CART now has more than 90 users from over 60 public, private and foreign banks in 
India. The IB-CART advisory council has 9 members with representation from public and 
private sector banks and CERT-IN. 


4.3. SIEM Tool and their Utility 


SIEM is a most important tool and is the core of SOC. SIEM is termed as Security Information 
& Event management and performs two major functions Security Information Management 
(SIM) and Security Event Management (SEM) in SOC. Refer to figure-4.2.2, where both the 
parts are shown separately without mentioning their technical names to make understand. So 
as per functionality of the SIEM, 


SIEM = SEM + SIM 


The Security Event Management (SEM) is used to provide real time monitoring and 
notifications to Level 1 manpower in SOC, while the Security Information Management (SIM) 
is used to perform correlation, in-depth analysis, storing the analysis files and reporting (Level 
2 manpower of SOC), those files based on requirement by the user organisations. 


4.3.1 Deployment of SIEM Tool 


SIEM tool, as discussed, is an important part of the SOC, and its deployment in the SOC 
needs to be planed as per policy, budget and skillsets of the SOC team. Some SOCs have 2 
levels of manpower while some other SOCs have more than 2 levels of manpower. Let us go 
through some important decision points for the deployment of SIEM in SOC. 


i. Scope of Work (SOW) - As we discussed earlier, SIEM is the core of SOC. Thus 
scope of the SIEM will be the scope of the SOC also. The scope of work an SOC team would 
define in operations, security and compliance. These are explained as - 


a. Operation: The SIEM tool is deployed by an organisation to do continuous monitoring, 
detecting, alerting and responding to cyber-security incidents, using a team of cyber 
security experts, cyber security tools and sophisticated processes. SIEM tool should 
enable SOC for continuous operations for 24x7 throughout year. 


SIEM should be able to collect logs of all connected devices, equipment of IS 
Infrastructure such as Servers, Computers, Database, application and network 
equipment like router, switches, controllers, firewalls etc. 


Another scope is about number of correlated files to be stored and kind of reports need 
to be provided. SIEM tool always carries two sides of its operations viz one side of 
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sizing of devices which it can cater and the other side of providing output such as alerts, 
reports and correlated files. 


Security: Logs provide the information related to all events of the activities performed 
by the devices and equipment. The events usually indicate the vulnerability in the 
system and possible development of threats. It is very difficult for SOC team to read 
logs of thousands, of devices installed in an organisation. 


SIEM tool collects logs from all these thousands of devices, arranges them in a 
common format, assesses them, correlates them and then develops the security 
posture of the IS infrastructure of the organisation. The security posture is provided to 
cyber security team of the organisation as a feedback. The cyber security team takes 
necessary action by taking corrective and preventive actions. 


Compliance -SIEM provided auto generated reports related to security posture of an 
organisation can be taken up for audits. Auditors should be able use the reports of 
SIEM tool. For the compliance purpose auditee must ensure the following, as per SIEM 
deployment in the SOC - 


a. _ Asset list maintained in a company vis-a-vis asset that SIEM is monitoring 
b. Scope of work 

Cc Logs and events 

d. SOC detail processes 

é. Security posture database 

f. Reporting 

g. Latency in conversion of alert into incident 


Use case details - A use case provides details about laid down procedure/s to 


interface a device. As discussed, SIEM tool has two interfaces as shown in figure - 4.4.4 


=~ — SIEM 


IS Infrastructure Report 
Figure - 4.4.4 


The use case for IS infrastructure related to logs and correlation at one side while reports and 
investigation etc on the other. 


Installation of SIEM - The IS Infrastructure of the organisation is consisting of various 


devices, equipment such as Servers, Computers, Databases, applications and network 
equipment like routers, switches, controllers etc. These equipment and devices generate logs 
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of their activity. Logs are very important for security. Logs provides the information related to 
all events of the activities performed by the devices and equipment. 


SIEM has various components which are used to perform various activities like collection of 
logs, arrangement of logs in a common format and correlation. Please refer to figure - 4.4.5. 
The components of SIEM are as follows - 


a. Agents - All the devices in the IS Infrastructure need to be installed with an agent of 
SIEM tool. An agent is a software to collect logs from the device and send them to 
collector of the SIEM tool. These agents can be configured remotely from centrl SIEM 
tool. 


Agents only collect those logs for which they are configured. They can also be used to 
filter out some events based on pre-set criteria. An agent is supposed to normalise the 
logs, so that no redundant information reaches to central SIEM tool. Agents, after 
filtering and normalisation send the logs to the collector of SIEM over a secure 
encrypted connection. 


b. Collectors - Collector application collects logs from the agents and does further 
normalisation and any pre-set filtering criteria. SIEM may be a standalone application 
separated from the SIEM or an inbuilt feature of the same. 


Servers Firewall IPS/IDS 


Collector 


External Intelligence 


SIEM Application 


Figure-4.4.5 


c. | SIEM Core - The SIEM core is the logic of the SIEM, which is composed of multiple 
software. It collects all the events and logs from the collector and also collects input 
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from the external intelligence from the outside world continuously. SIEM Core does 
processing which are under the scope of the SOC for operations, security and 
compliance. SIEM core handles the following areas - 


1. 


eNO OR WN 


Risk Assessment for IS infrastructure 

Correlation of events collected by the collector and external intelligence 
Any Deviation in normal operations of IS Infrastructure 

Data Mining & Data Analysis 

Real-Time Monitoring and alerts 

Cyber Security posture 

Correlated data for Forensic & Investigation 


Reports 


4.3.2 SIEM Tools Utility 


SIEM tool provides the following advantages to an organisation — 


a. 
b. 


C. 


Discover vulnerabilities 


Uncover threats 


Monitoring 


Compliance 


Security profile 


Internal Intelligence 


Alerts 


Reporting 


Incident Management 


Forensic Investigation 


4.4 Summary 


In this chapter, we discussed about cyber security incidents and how to deal with them. 
Incident Management needs to be established by organisations to correctly handle cyber 
security incidents and reap benefits of cyber space. Senior management should support 
security and incidents handling by setting up policies, procedures and giving adequate 
resources and training to employees. 


We also discussed about how SOC and SIEM can help in handling incidents and taking 
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preventive and corrective actions on them. Whole Cyber world is under threat from various 
security hazards, and CERT is taking efforts in successfully tackling these threats and India is 
also contributing. 


We learned, in brief, operations of SOC and about SIEM tool and how they help in fighiting 
security hazards. 
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4.5 Questions 
1. Basic operation of the SIEM tools, on the logs collected from the devices is 
A. — Correlating the log 
B. Collecting the log 
C. Analysing the log 
D. Live Correlating the log 
2. Which of the following is not a part of SIEM tools? 


A. — Sensor 
B. Collector 
C. Agent 

D. Log 


3. Which one is not the part of SIEM application? 
A. _ Risk assessment 
B. Vulnerability Scanning 
C. — Real time monitoring 
D. Normalization 


4. How does a SIEM tool handle the issue of Completeness of log? 
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A Encryption 

B Hashing 

C. Digital Signing 
D Time stamping 


5. The computer security incident response team (CSIRT) of an organization 
publishes detailed descriptions of recent threats. An IS auditor's GREATEST 
concern should be that the users may: 


A. _ Use this information to launch attacks 
B. Forward the security alert 
C. — Implement individual solutions 
D. Fail to understand the threat 
6. | The main goal of Security Operation Centre (SOC) is 
A. Detect, analyse and report 
B. Detect, analyse and respond 
C. Collect, analyse and report 
D. Collect, analyse and respond 
7. What is the primary purpose of an incident management program? 
A. _ Identify and assess incidents 
B. Conduct lessons learned sessions 
C. Alert key individuals 
D. — Assign responsibility 
8. SOC shall be ineffective without the support of - 
A. _ Risk 
B. Budget 
C. Top management 
D. Quality 
9. Phases of an incident management program 
A. — Prepare, Respond, and follow up 


B. Plan, prepare, and respond 
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4.6 


C. Plan, prepare and follow up 
D. Prepare, plan and respond 


Within an Incident Response Management program, the Containment phase aims 
to 


Block the event 
Reduce the impact 


Remove the event 


90 pM > 


Rise the event 


Answers and Explanations 
The correct answer is D 


Log correlation is about constructing rules that look for sequences and patterns in log 
events that are not visible in the individual log sources. The basic function of an SIEM is 
to correlate logs online and perform analysis that would otherwise be done by repetitive 
human analysis. 


The correct answer is C 


SIEM is defined as a complex set of technologies to provide real-time event collection, 
monitoring, correlating, and analyzing events across disparate sources, making it easier 
to monitor and troubleshoot IT infrastructure in real time. An Agent is third party tool for 
supporting devices. Options A, B and D are part of SIEM tools. 


The correct answer is D 


Normalization is a database design technique that organizes tables in a manner that 
reduces redundancy and dependency of data. Normalization divides larger tables into 
smaller tables and links them using relationships. Option D is not part of SIEM 
applications. 


The correct answer is B 


A privileged user with some knowledge on the internal structure of the SIEM data can 
easily delete logs, backdate logs, or modify existing logs. Hashing log files or log entries 
and storing the hash on disk for future verification ensuring integrity and completeness 
of the logs. For encryption, signing and time stamping you need a well-managed public 
key infrastructure (PKI) with secure hardware storage for keys. 


The correct answer is A 


An organization's computer security incident response team (CSIRT) should 
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disseminate recent threats, security guidelines and security updates to the users to 
assist them in understanding the security risk of errors and omissions. However, this 
introduces the risk that the users may use this information to launch attacks, directly or 
indirectly. An IS auditor should ensure that the CSIRT is actively involved with users to 
assist them in mitigation of risk arising from security failures and to prevent additional 
security incidents resulting from the same threat. Option B Forwarding the security alert 
is not harmful to the organization. Option C Implementing individual solutions is unlikely 
and inefficient, but not a serious risk. Option D Users failing to understand the threat 
would not be a serious concern. 


The correct answer is B 


A Security Operation Centre (SOC) is a centralized function within an organization 
employing people, processes, and technology to continuously monitor and improve an 
organization's security posture while preventing, detecting, analyzing, and responding 
to security incidents. Reporting is not the part of SOC. 


The correct answer is A 


Incident Response Management Program aims to manage the lifecycle of all Incidents 
(unplanned interruptions or reductions in quality of IT services). The primary objective of 
this program is to identify, assess, analyze, and correct the incidents to prevent a future 
re-occurrence and to make available the IT service to users as quickly as possible. 


The correct answer is C 


Without clear executive support, a SOC may be ineffective, and its value will not be 
realized. Creating an effective SOC requires support to establish a clear mandate for 
the SOC and a long-term strategy, and also a strong SOC leader to drive organizational 
change and develop a culture of security. The SOC leader shall take care of Risks and 
Quality. 

The correct answer is A 

Incident response program can be broken down into four broad phases: (1) Preparation; 
(2) Detection and Analysis; (3) Containment, Eradication, and Recovery; and (4) Post- 


Event Activity. Hence Option A Prepare, Respond, and follow up, are in correct order. 
Options B, C and D are incomplete. 


The correct answer is B 


When a breach is first discovered, in the containment phase, the Incident Response 
team after having gathered the information and gained an understanding of the incident, 
will begin to combat the threat by taking actions to prevent further damage, such as 
closing ports or blocking IPs. Hence Option B is the correct answer. 
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